GoTo Meeting loads Remcos RAT via Rust Shellcode Loader

Summary: This content discusses the JS infection chain, which involves various initial infectors targeting different victim groups.

Threat Actor: Unknown | Unknown
Victim: Various target groups | Various target groups

Key Point :

  • The JS infection chain involves different initial infectors, such as fake setup files and fake documents, targeting various victim groups.
  • Examples of initial infectors include a fake LeonardoAI2 Setup, a fake OnlyFans Livestreams setup, fake tax documents, and a Russian ZIP file named “Заявка_на_Геоприборы.rar.zip”.
  • Some initial infectors have a slightly different execution chain, such as the JScript file “Teen Girl Leak Porn 10.js” that targets porn consumers.

JS Infection Chain

After analysing the LNK execution chain, I started looking for more cases like these via related files on VirusTotal. I discovered initial infectors in various languages and for several target groups just by looking for archives that contain either the same g2m.dll[4] or the same decoy PDF[5] by hash. 

Among others I found a fake LeonardoAI2 Setup[14], a fake OnlyFans Livestreams setup[13], fake tax documents[16], fake tax organizers[17] and a Russian ZIP file named Заявка_на_Геоприборы.rar.zip[15] which translates to “application for geodevices”. 

Some feature a slightly different execution chain than the previous one, e.g., the JScript file Teen Girl Leak Porn 10.js[7] whose name indicates that it targets porn consumers. The image below visualizes the infection chain for the this JScript file[7] and serves as an example for a different mode of execution.

Source: https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos


“An interesting youtube video that may be related to the article above”