RemcosRAT Distributed Using Steganography
AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.
The RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from “paste.ee”, a service similar to “Pastebin” where one can upload text for free.
The downloaded VBScript is obfuscated with many special characters and ultimately executes a PowerShell script through Replace.
This PowerShell script downloads an image uploaded to an external source. The image file contains the data encoded in Base64 behind “FF D9” which denotes the end (footer) of the jpg file. It then loads the data between the strings “<<BASE64 START>>” and “BASE64_END” to decode it in Base64. The decoded data is “.NET DLL” which is given 6 arguments and executed through reflective code loading.
The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child process to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.
Because Remcos RAT is distributed in many ways including spam emails and under the guise of crack software download links, users are advised to practice particular caution. In addition, they must update V3 to the latest version to prevent malware infection in advance.
File Detection
Downloader/VBS.Agent.SC199181 (2024.04.19.00)
Data/BIN.Encoded (2024.04.18.03)
Downloader/VBS.Agent.SC198254 (2024.03.19.03)
RTF/Malform-A.Gen (2024.03.19.01)
Behavior Detection
Execution/MDP.Powershell.M2514
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
