See the Power of Pipeline
We stay current with technological trends and knowledge through industry-academia collaborations and international networks.
By using our own products, we avoid expensive foreign software, maximizing cost performance.
Pipeline offers a one-stop solution for all cybersecurity needs, from consulting to operational design and implementation.
Contact Us
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
All posts
Pipeline Research

[Pipeline Research] Investigating A Prepared Campaign of RemcosRAT

Pipeline, Inc. observed a recent threat campaign of RemcosRAT malware. The threat actor was distributing malicious VBS file via e-mail attachment. The infection chain is like below-

Photo: Infection Chain We Observed

At first we found a very obfuscated VBS e-mail attachment which was hard to analyze. We first de-obfuscated it and found that the below function is executed by PowerShell-


This snippet of code is executed by Wscript.Shell. It downloads the second payload from C2 server using the PowerShell cmdlet Start-BitsTransfer and writes the payload to a local file named Asturi.Bel. The C2 server URL is-

hxxps[://]spiderzlame[.]shop/Memoreres[.]hhk


Surprisingly when we visited the domain, we got this-


Even, when we try to get the Whois info for the domain, we get 'Server is busy now, please try again later.' like below-

This is why it seems to be a very prepared threat campaign, where the obfuscation is everywhere. Anyway, the payload downloaded from the C2 is a very long Base64 data (more than 200k characters)-

Photo: Base64 Payload Downloaded from C2

The payload is decoded using the [System.Convert]::FromBase64String() method. Then it uses the [System.Text.Encoding]::ASCII.GetString() method to convert the byte array to string. Although de-obfuscating is not completed yet. Some garbage text is still there in the payload. So, the malware now uses the substring() function to extract the actual payload-


This payload contains a function Spnding02() at the beginning. Which is used to de-obfuscate the next stage payload. After de-obfuscating and simplifying the payload, it looks like below-


The malware found to be connected with another domain-

windowsupdatebg[.]s[.]llnwi[.]net


The malware’s name in the e-mail attachment is 'importe PDF.vbs'. The malware sleeps sometime as an evasion technique and uses VirtualAlloc() function for reserving code to execute. Some of its command lines are as below-

MITRE ATT&CK Mapping

T1047
T1010
T1018
T1082
T1083
T1518.001
T1105
T1497

Share
Copy link
http://www.ppln.co/en/posts/investigating-remcosrat
News Icon
You may also like latest news:

Unlocking the Hidden Risks: How VAPT Can Identify Vulnerabilities in Your Systems

Read More »

Exhibited at the Cable Technology Show with our partner Toyo Technica

Read More »

[Pipeline Research] Digital Battlegrounds: The Hidden Cyber War Amidst the Israel-Hamas Conflict

Read More »
Pipeline Logomark

You may also like latest news:

Cyber Security
September 17, 2024
Cyber Security
September 17, 2024
Cyber Security
September 17, 2024

Building a Smart Security Pipeline

Gain a new level of insight and knowledge across your organization to speed up decision making and business actions.

Book a callback
詳細はこちら