Remcos RAT Distributed as UUEncoding (UUE) File
AhnLab SEcurity intelligence Center (ASEC) recently discovered that Remcos RAT is being distributed via UUEncoding (UUE) files compressed using Power Archiver.
The image below shows a phishing email distributing the Remcos RAT downloader. Recipients must be vigilant as phishing emails are disguised as emails about importing/exporting shipments or quotations.
1. UUE
The threat actor distributes a VBS script encoded using the UUE method through an attachment. The UUE method, short for Unix-to-Unix Encoding, is a method used to exchange data between Unix systems by encoding the binary data in the ASCII text format.
A UUE file consists of a header (begin), an encoded data, and an end, and the threat actor appears to have tried bypassing detection via UUE. Upon decoding the file, an obfuscated VBS script can be found (see Figure 3).
2. Downloader
The VBS script saves the PowerShell script into the %Temp% directory as Talehmmedes.txt and runs it. The executed script accesses hxxp://194.59.30[.]90/Isocarbostyril.u32 to download Haartoppens.Eft into the %AppData% directory and run an additional PowerShell script.
The executed additional PowerShell script is also obfuscated to prevent others from analyzing it, and its main feature is loading a shell code in the wab.exe process.
The shellcode adds a registry to maintain persistence and accesses hxxp://194.59.30[.]90/mtzDpHLetMLypaaA173.bin to load additional data. Ultimately, Remcos RAT is executed.
3. Remcos RAT
The malware collects system information through hxxp://geoplugin[.]net/json.gp. It then saves the keylogging data as mifvghs.dat in the %Appdata% directory and sends the data to the C&C server.
[C&C Servers]
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
Users should refrain from opening emails from unknown sources, and should not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macros may run automatically without any notification. Therefore, users should maintain the security level high to prevent any unintended features from being run.
Also, we recommend users update the anti-malware engine pattern to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious types of files introduced in the post using the aliases below.
[File Detection]
Downloader/VBS.Agent (2024.05.17.01)
Data/BIN.Encoded (2024.05.24.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
