AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.
The RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from “paste.ee”, a service similar to “Pastebin” where one can upload text for free.
The downloaded VBScript is obfuscated with many special characters and ultimately executes a PowerShell script through Replace.
This PowerShell script downloads an image uploaded to an external source. The image file contains the data encoded in Base64 behind “FF D9” which denotes the end (footer) of the jpg file. It then loads the data between the strings “<<BASE64 START>>” and “BASE64_END” to decode it in Base64. The decoded data is “.NET DLL” which is given 6 arguments and executed through reflective code loading.
The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child process to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.
Because Remcos RAT is distributed in many ways including spam emails and under the guise of crack software download links, users are advised to practice particular caution. In addition, they must update V3 to the latest version to prevent malware infection in advance.
File Detection
Downloader/VBS.Agent.SC199181 (2024.04.19.00)
Data/BIN.Encoded (2024.04.18.03)
Downloader/VBS.Agent.SC198254 (2024.03.19.03)
RTF/Malform-A.Gen (2024.03.19.01)
Behavior Detection
Execution/MDP.Powershell.M2514
MD5s
FDFD9E702F54E28DC2CA5F7C04BF1C8F
F5A49410D9EA23DC2CF67D7D3BA8FAD0
C7603F1DA9D5EBB35076F285EB374BA6
6605B28A03EA7CAA3A40451CBBC75034
B06FE78AAD12F615595040308AFFC0D8
C2s
hxxp://ur8ly.com/asy2xrhxxps://paste.ee/dEh1G4
107.175.31[.]187
192.210.201[.]57:52748
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] post RemcosRAT Distributed Using Steganography appeared first on ASEC […]
Where is the steganography part? You talk about code after the image end tag of an jpg, but that’s not steganography, that’s just format abuse.
[…] AhnLab Security Intelligence Centre (ASEC) has recently found that steganography is being used to spread […]
[…] Reference: https://asec.ahnlab.com/en/65111/ […]