Blog

IQ-FA008:Remcos Maldoc Utilizing Macrosheets

By: Josiah Smith
July 14, 2020

Fig 1. Graphical Lure


Low Detection:

Fig 2. fe809aa7410d9df4db47ea209891c441028836edadd44beb0997d9d25be354d3


This sample is once again leveraging Macrosheets… still a good tactic for actors, despite having extensive coverage for 18 months now. Some previous InQuest writing on Macrosheets:

This macrosheet provides an extra level of intricacy in it’s obfuscation technique. Eventual payload is Remcos RAT, which, has decent AV detection (14/72):

That payload is downloaded from: hxxp://47.106.112.106:8032/app/logo[.]gif

And has relations to the following Domains:

  • update.office365excel.org
  • update.huobibtc.net

    The purpose of the office domain is self evident. For those who aren’t familiar, Huobi is a legitimate crypto currency exchange: https://www.huobi.com

    Indicators

    Note: There is a lot of interesting pivots that can be done from the Indicators

    Date Observed Indicator Type Indicator
    7/14/2020 XLS Document fe809aa7410d9df4db47ea209891c441028836edadd44beb0997d9d25be354d3
    7/14/2020 Binary 0892656183c07a099887cd0ad837f05d17cd77a8d253f3e8b637bc099c3bcb0b
    7/14/2020 Hostname update.office365excel.org
    7/14/2020 Hostname update.huobibtc.net
    7/14/2020 IP Address 47.106.112.106 Aliyun Computing Co. Ltd 37963
    • MalDocRemcosthreat hunting
    About the Author

    Josiah Smith

    Director of Operations
    Josiah Smith is the Director of Operations at InQuest, where he leverages his extensive engineering expertise to drive innovation and efficiency. As a Senior Enlisted Leader in the Air Force Reserves, Josiah brings exceptional leadership skills and strategic acumen to his role. He holds prestigious certifications, including the GIAC GSE and CISSP, as well as dual master's degrees, underscoring his deep knowledge in cybersecurity. Additionally, Josiah has shared his expertise as an educator at Bismarck State College, contributing significantly to the field of cybersecurity education. His multifaceted experience and dedication make him a key figure in ensuring InQuest's continued success.
    More about this author
    Back to Blog

    InQuest, LLC
    1204 San Antonio St, 2nd Floor
    Austin, Texas 78701, USA

    Phone
    +1 (866) 982-0561

    Web Support
    support.inquest.net

    Support
    [email protected]

    Sales
    [email protected]

    PGP Key
    inquest.pgp

    © Copyright 2024 InQuest