A recent campaign distributing the Remote Access Trojan (RAT) known as Remcos has been identified by researchers. This attack method involves phishing emails that are disguised as legitimate business communication, such as import/export or quotations. The emails contain a file compressed with Power Archiver, which likely contains the Remcos RAT downloader. Once executed, this downloader allows attackers remote access to the victim’s machine.
The attacker in this campaign is distributing a malicious VBS script hidden within an attachment. This script is encoded using Unix-to-Unix Encoding (UUE), a method that converts binary data into a readable text format. This encoding technique helps disguise the script from detection systems. The UUE-encoded attachment consists of a header, an encoded data section, and an end marker. Decoding the attachment reveals an obfuscated VBS script, which further complicates the analysis process.
The VBS script acts as a downloader, fetching a malicious PowerShell script (Talehmmedes.txt) and saving it in the victim’s temporary directory. This PowerShell script, in turn, downloads Haartoppens.Eft, another malicious script, from a remote server and stores it in the user’s AppData folder. The Haartoppens.Eft script is obfuscated, making it difficult to analyze its functionality. However, it is identified as another PowerShell script whose primary function is to inject shellcode into the wab.exe process, a legitimate Windows process associated with address book contacts. This shellcode establishes persistence by modifying the registry, ensuring that the attacker maintains access to the compromised system even after a reboot. The script retrieves further malicious data from another remote server, likely another PowerShell script or a component used by the malware for malicious purposes. Ultimately, this chain of events leads to the execution of the Remcos RAT, granting the attacker unauthorized control over the victim’s machine.
The Remcos RAT is a sophisticated trojan that extracts system information for geolocation purposes. The malware logs keystrokes and stores them in the user’s application data directory, which are then exfiltrated to the attacker’s command and control server. This allows the attacker to gain comprehensive information about the victim’s machine and their keystrokes.
AhnLab Security Intelligence Center (ASEC) has issued a warning about malicious files detected by AhnLab V3 anti-malware. These files, disguised as invoice documents and spread through emails, are categorized as Downloader/VBS.Agent and Data/BIN.Encoded. The IOC provided includes unique hashes associated with the files to identify and block them, preventing infection. Users are advised to avoid emails from unknown senders, disable macros in attachments, and update anti-malware signatures to protect themselves from such attacks.
In conclusion, the distribution of the Remcos RAT through phishing emails disguised as legitimate business communication highlights the ongoing threat posed by sophisticated cybercriminals. It is essential for users to remain vigilant, avoid suspicious emails, and keep their cybersecurity measures up to date to protect against such malicious activities.