Remcos RAT Malware Disguised as Major Carrier’s Waybill
AhnLab SEcurity intelligence Center (ASEC) has recently discovered the Remcos malware disguised as a waybill from a major shipping company. This article details the distribution distribution flow from HTML, JavaScript, and AutoIt scripts leading to the execution of the final Remcos malware.
Figure 1 shows the original email with an HTML script attached. Upon executing the HTML file and clicking the Download button, the 747031500 D747031500_A.js file is downloaded, as shown in Figure 2. However, the download URL is in the “blob” format, meaning it is not download from an external server. Figure 3 shows the HTML-encoded malicious JavaScript code converted into an object, creating the 747031500 D747031500_A.js file accessible only within the browser.
Figure 1. Malicious email distributed
Figure 2. Html script attached to email
Figure 3. Html script code attached to email
Figure 4 shows the JavaScript file (747031500 D747031500_A.js) created as an HTML file. The file contains mostly dummy code for obfuscation purposes not related to malicious behavior.
Figure 4. Obfuscated JavaScript (747031500 D747031500_A.js)
Figure 5 shows the code that performs actual malicious behaviors after removing the dummy code. When executed, it creates and downloads several files (knkfcutogchunsg.bls, wtine.amv, kmwdx.txt, fdilfn.dll) as shown in Figure 6. The functions are listed in Table 1 below. After creating the files, the legitimate AutoIt loader (kmwdx.txt) argument executes the malicious AutoIt script (fdilfn.dll).
| File Name | Function |
| knkfcutogchunsg.bls | Configuration file (Specifies the location of malware created, Run key name, and the file name created) |
| wtine.amv | Encoded Remcos malware binary |
| kmwdx.txt | Legitimate autoit loader (EXE) |
| fdilfn.dll | Malicious autoit script |
Table 1. Features of the created files in JavaScript
Figure 5. Decrypted JavaScript (747031500 D747031500_A.js)
Figure 6. The executable file created by JavaScript
Figure 7. Configuration file (knkfcutogchunsg.bls) used to execute malware
Figure 8 shows a malicious autoit script (fdilfn.dll) with obfuscated dummy code that is unrelated to the actual behavior.
Figure 8. Obfuscated malicious autoit script (fdilfn.dll)
Figures 9 through 13 show the features of the decrypted AutoIt script. Figure 9 shows the feature that terminates the script when a specific anti-malware program is executed. Additionally, there is a code that terminates the script when the user name is “John.”
Figure 9. Malicious autoit script features (terminates upon detecting anti-malware program and specific username)
Figure 10 shows the auto-run registration for persistence. As shown in Figure 11, the command to execute a malicious AutoIt script (fdilfn.dll) using a legitimate AutoIt loader disguised as kmwdxt.txt.exe is registered in the autorun registry key, as shown in [Figure 11].
Figure 10. Malicious autoit script feature (maintaining persistence through auto-execution registration)
Figure 11. Auto-execution registration (malicious autoit launch command)
Figures 12 and 13 show the feature of decrypting the encoded Remcos malware binary and executing the shellcode.
Figure 12. Malicious AutoIt script feature (decoding wtine.amv to obtain Remcos binary)
Figure 13. Malicious autoit script executing shellcode
Figure 14 shows a part of the shellcode that executes a legitimate process (RegSvcs.exe) for malware injection (CreateProcessW). Subsequently, it injects the Remcos malware following the sequence outlined in Table 2.
Figure 14. Shellcode feature – Remcos injected into a legitimate process (RegSvcs.exe)
|
APIs Used in Injection |
| CreateProcessW -> RtlMoveMemory -> ZwUnmapViewOfSection -> VirtualAllocEx -> WriteProcessMemory -> RtlMoveMemory -> GetThreadContext -> SetThreadContext -> ResumeThread |
Table 2. Order of APIs used in injection
Figure 15 shows a portion of the main function of the Remcos RAT malware that operates in the legitimate RegSvcs.exe process. The executed Remcos RAT is a Remote Access Tool malware that can steal information from the user’s PC and execute various remote commands according to the C2 command.
Figure 15. Remcos RAT malware executed by the legitimate RegSvcs.exe process
Users must be especially cautious when opening emails from unknown sources. Regular password changes are necessary to prevent secondary damage. Additionally, unlike the attack type that leaks information to the attacker’s address or compromised address, attacks using legitimate platforms as C2 are continuously increasing, so users need to be particularly vigilant.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
