Threat Research

Efficiently Distributing RemcosRAT Through Steganography

Ahnlab

AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.

Figure 1. A Word document containing an external link

The RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from “paste.ee”, a service similar to “Pastebin” where one can upload text for free.

Figure 2. VBScript downloaded by the RTF file

The downloaded VBScript is obfuscated with many special characters and ultimately executes a PowerShell script through Replace.

Figure 3. The obfuscated script (eh1G4)

This PowerShell script downloads an image uploaded to an external source. The image file contains the data encoded in Base64 behind “FF D9” which denotes the end (footer) of the jpg file. It then loads the data between the strings “<<BASE64 START>>” and “BASE64_END” to decode it in Base64. The decoded data is “.NET DLL” which is given 6 arguments and executed through reflective code loading.

Figure 4. The PowerShell script downloading a steganography image
Figure 5. The Base64-encoded data contained in a normal image file

The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child process to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.

Figure 6. RemcosRAT executed through process hollowing

Because Remcos RAT is distributed in many ways including spam emails and under the guise of crack software download links, users are advised to practice particular caution. In addition, they must update V3 to the latest version to prevent malware infection in advance.

File Detection
Downloader/VBS.Agent.SC199181 (2024.04.19.00)
Data/BIN.Encoded (2024.04.18.03)
Downloader/VBS.Agent.SC198254 (2024.03.19.03)
RTF/Malform-A.Gen (2024.03.19.01)

Behavior Detection
Execution/MDP.Powershell.M2514

MD5s
FDFD9E702F54E28DC2CA5F7C04BF1C8F
F5A49410D9EA23DC2CF67D7D3BA8FAD0
C7603F1DA9D5EBB35076F285EB374BA6
6605B28A03EA7CAA3A40451CBBC75034
B06FE78AAD12F615595040308AFFC0D8

C2s
hxxp://ur8ly.com/asy2xrhxxps://paste.ee/dEh1G4
107.175.31[.]187
192.210.201[.]57:52748

Reference
1) https://www.cyfirma.com/research/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post RemcosRAT Distributed Using Steganography appeared first on ASEC BLOG.

MITRE TTP

  1. Spear Phishing Attachment (T1566.001):
    • The attack begins with a Word document that likely appears legitimate to the victim but contains malicious elements. This is indicative of a spear phishing attack using a document as the vector.
  2. Template Injection (T1221):
    • The initial Word document employs template injection, which manipulates document templates to execute malicious code when the document is opened.
  3. Exploitation for Client Execution (T1203):
    • An RTF file is then downloaded and executed, exploiting a vulnerability in the equation editor component of Microsoft Word (EQNEDT32.EXE), leading to code execution.
  4. Resource Hijacking (T1496):
    • The RTF file downloads a VBScript masquerading as a “.jpg” file from a command and control (C2) server, indicating the use of file name deception to hide malicious scripts.
  5. Use of Paste Sites for Staging (T1567.002):
    • Another VBScript is downloaded from “paste.ee,” a text sharing service similar to Pastebin, used here for hosting malicious code.
  6. Obfuscated Files or Information (T1027):
    • The VBScript is heavily obfuscated with special characters to evade detection.
  7. PowerShell (T1059.001):
    • The obfuscated script executes a PowerShell script, which is a common scripting language used by attackers for its powerful capabilities and availability on Windows systems.
  8. Steganography (T1027.003):
    • The PowerShell script downloads an image containing hidden data encoded in Base64, using steganography to conceal the payload.
  9. Reflective Code Loading (T1620):
    • The PowerShell script then uses reflective code loading to execute a .NET DLL file directly from memory, avoiding traditional file-based execution.
  10. Process Hollowing (T1055.012):
    • RemcosRAT, the final payload, is executed using the process hollowing technique, where a legitimate process (RegAsm.exe) is started in a suspended state, its memory is replaced with malicious code, and then resumed to execute the malware.
  11. Command and Control (T1071):
    • Throughout the attack, multiple files are downloaded from a C2 server, indicating ongoing communication with an attacker-controlled server.
Tags: SPAM, VULNERABILITY