- AhnLab SEcurity intelligence Center(ASEC) confirmed that RemcosRAT is being distributed using steganography techniques.
- The distribution starts with a Word document that uses the Template Injection technique and downloads and executes an RTF file exploiting the vulnerability in the equation editor (EQNEDT32.EXE).
- The downloaded RTF file downloads a VBScript with the “.jpg” extension from a service similar to “Pastebin” called “paste.ee” that allows free text uploads.
- The downloaded VBScript is obfuscated with various special characters and finally executes a PowerShell script through Replace.
- The PowerShell script downloads an externally uploaded image, and the image contains BASE64 encoded data after the code “FF D9” which represents the end (Footer) of a “JPG” file.
https://asec.ahnlab.com/ko/64421/