FOCUS MODE
EXTRACT IOC
Threat Research

Remcos RAT Malware Disguised as Major Carrier’s Waybill

Ahnlab
Remcos RAT Malware Disguised as Major Carrier’s Waybill
AhnLab Security Intelligence Center (ASEC) uncovered Remcos malware camouflaged as a shipping waybill. The article outlines the distribution process involving HTML, JavaScript, and AutoIt scripts, ultimately leading to the execution of the Remcos malware. It emphasizes the importance of vigilance when handling emails from unfamiliar sources to prevent malware infection. Affected: Remcos malware, email communications, information security

Keypoints :

  • Discovery of Remcos malware disguised as a waybill from a shipping company.
  • Distribution involves HTML scripts, JavaScript files, and AutoIt scripts.
  • Malicious email contained an HTML script which initiated the malware execution.
  • JavaScript file includes obfuscated dummy code that masks malicious behavior.
  • Several files are created upon execution, including configuration and malicious scripts.
  • Features of the created files and their functionalities detailed in a table.
  • Malware scripts utilize legitimate processes for execution and persistence.
  • Malicious activities include information theft and remote command execution through C2 communication.
  • Recommendations for users include being cautious with unknown emails and regularly changing passwords.

MITRE Techniques :

  • T1203 – Exploitation for Client Execution: The malware leverages HTML and JavaScript exploits to execute on user systems.
  • T1060 – Registry Run Keys / Startup Folder: The malware registers its execution command in autorun registry keys, ensuring persistence.
  • T1027 – Obfuscated Files or Information: JavaScript file uses both obfuscation and dummy code to evade detection.
  • T1059.001 – Command and Scripting Interpreter: Malicious AutoIt scripts execute commands using legitimate processes.
  • T1056.001 – Input Capture: The Remcos malware is designed to capture information from the user’s system.

Indicator of Compromise :

  • [MD5] 9fdde6d01baeb36a5e770c7fbfc0aafb
  • [MD5] a224a99613680c9f62222278eabdca6d
  • [MD5] c33a090d46bf270d49280178326a3616
  • [MD5] e3765da77fefd90e2a7e1fe50029a1d8
  • [URL] http://favor-grace-fax.home-webserver.de/

Full Story: https://asec.ahnlab.com/en/87106/

Tags: PASSWORD, BROWSER, PERSISTENCE, TOOL, EMAIL, DISCOVERY