A new distribution method for the Remcos Remote Access Trojan (RAT) has been uncovered in recent news. This malware, infamous for granting attackers full control over compromised systems, is now being propagated through malicious Word documents that harbor shortened URLs.

These deceptive URLs lead unsuspecting victims to download the Remcos RAT, enabling cybercriminals to engage in activities such as data theft, espionage, and other malicious endeavors. It is imperative for individuals and organizations to familiarize themselves with the infection chain and be able to identify the red flags associated with such attacks in order to effectively combat these threats.

The Forcepoint blogs shed light on the infection chain of this malicious campaign. It commences with an email attachment in .docx format that is specifically crafted to dupe the recipient. Upon closer inspection of the attachment, a shortened URL is detected, hinting at malicious intent. This URL then redirects the user to download a variant of the Equation Editor malware in RTF format.

By leveraging the Equation Editor vulnerability (CVE-2017-11882), the malware endeavors to fetch a VB script composed of a complex sequence of concatenated variables and strings, likely encoded or obfuscated. These strings coalesce to form an encoded payload, indicating potential decryption or execution at a later stage.

Upon further examination of the document (SHA1: f1d760423da2245150a931371af474dda519b6c9), two critical files, settings.xml.rels, and document.xml.rels, situated at word/_rels/, are discovered. The settings.xml.rels file discloses a shortened URL that initializes the next phase of the infection process.

Cross-referencing the document in a sandbox environment confirms the presence of the CVE-2017-0199 vulnerability. Upon exploiting this vulnerability, the document attempts to establish a connection with a remote server to download a malicious file. The attackers cloak the malicious URL using a URL shortener service, making it arduous for victims to discern the risk and evade security detection mechanisms.

A meticulous investigation uncovers embedded PDF files in oleObject bin files within the \word\embeddings directory. While the PDF file may seem innocuous, showcasing a fictional transaction between a company and a bank, the actual threat lurks within the RTF file (SHA1: 539deaf1e61fb54fb998c54ca5791d2d4b83b58c) downloaded via the shortened URL.

The malicious VB script (SHA1: 9740c008e7e7eef31644ebddf99452a014fc87b4) is decrypted to reveal a PowerShell code attempting to retrieve a malicious binary from different URLs. One URL conceals the malware within an image using steganography while the other communicates with an IP address to access a TXT file containing a reverse Base64-encoded string, adding a layer of obfuscation.

By utilizing tools like Cyber Chef, the encoded string is reversed and decoded to unveil the malicious payload (SHA1: 83505673169efb06ab3b99d525ce51b126bd2009). The process monitoring reveals a connection attempt to a possible Command and Control (C2) server (IP: 94[.]156[.]66[.]67:2409), which is currently inactive, resulting in a TCP reconnect.

The utilization of shortened URLs in Word documents for disseminating the Remcos RAT exemplifies the evolving strategies of cyber adversaries. To fortify defenses against such threats, individuals and organizations must grasp the intricacies of the infection chain and remain vigilant of suspicious emails and attachments. Avoiding clicking on shortened URLs from unknown sources is a vital practice in safeguarding against cyber threats.

The key takeaway from this incident underscores the importance of cybersecurity awareness and proactive defense measures in combating sophisticated threats in today’s digital landscape.

Source link