Posted By ,

RemcosRAT Distributed Using Steganography

AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.

Figure 1. A Word document containing an external link

The RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from “paste.ee”, a service similar to “Pastebin” where one can upload text for free.

Figure 2. VBScript downloaded by the RTF file

The downloaded VBScript is obfuscated with many special characters and ultimately executes a PowerShell script through Replace.

Figure 3. The obfuscated script (eh1G4)

This PowerShell script downloads an image uploaded to an external source. The image file contains the data encoded in Base64 behind “FF D9” which denotes the end (footer) of the jpg file. It then loads the data between the strings “<<BASE64 START>>” and “BASE64_END” to decode it in Base64. The decoded data is “.NET DLL” which is given 6 arguments and executed through reflective code loading.

Figure 4. The PowerShell script downloading a steganography image
Figure 5. The Base64-encoded data contained in a normal image file

The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child process to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.

Figure 6. RemcosRAT executed through process hollowing

Because Remcos RAT is distributed in many ways including spam emails and under the guise of crack software download links, users are advised to practice particular caution. In addition, they must update V3 to the latest version to prevent malware infection in advance.

File Detection
Downloader/VBS.Agent.SC199181 (2024.04.19.00)
Data/BIN.Encoded (2024.04.18.03)
Downloader/VBS.Agent.SC198254 (2024.03.19.03)
RTF/Malform-A.Gen (2024.03.19.01)

Behavior Detection
Execution/MDP.Powershell.M2514

MD5s
FDFD9E702F54E28DC2CA5F7C04BF1C8F
F5A49410D9EA23DC2CF67D7D3BA8FAD0
C7603F1DA9D5EBB35076F285EB374BA6
6605B28A03EA7CAA3A40451CBBC75034
B06FE78AAD12F615595040308AFFC0D8

C2s
hxxp://ur8ly.com/asy2xrhxxps://paste.ee/dEh1G4
107.175.31[.]187
192.210.201[.]57:52748

Reference
1) https://www.cyfirma.com/research/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,,,

0 0 votes
Article Rating
Subscribe
Notify of
guest

4 Comments
Inline Feedbacks
View all comments
trackback
RemcosRAT Distributed Using Steganography - TQT Group
11 days ago

[…] post RemcosRAT Distributed Using Steganography appeared first on ASEC […]

0
Reply
Zascan
Zascan
11 days ago

Where is the steganography part? You talk about code after the image end tag of an jpg, but that’s not steganography, that’s just format abuse.

Last edited 11 days ago by Zascan
0
Reply
trackback
Hackers Employing Steganography Methods to Deliver Notorious RemcosRAT – ZBM Security News
11 days ago

[…] AhnLab Security Intelligence Centre (ASEC) has recently found that steganography is being used to spread […]

0
Reply