AhnLab SEcurity intelligence Center (ASEC) recently discovered that Remcos RAT is being distributed via UUEncoding (UUE) files compressed using Power Archiver.
The image below shows a phishing email distributing the Remcos RAT downloader. Recipients must be vigilant as phishing emails are disguised as emails about importing/exporting shipments or quotations.
Figure 1. A phishing email
1. UUE
The threat actor distributes a VBS script encoded using the UUE method through an attachment. The UUE method, short for Unix-to-Unix Encoding, is a method used to exchange data between Unix systems by encoding the binary data in the ASCII text format.
Figure 2. A VBS script applied with UUE
A UUE file consists of a header (begin), an encoded data, and an end, and the threat actor appears to have tried bypassing detection via UUE. Upon decoding the file, an obfuscated VBS script can be found (see Figure 3).
Figure 3. An obfuscated vbs script
2. Downloader
The VBS script saves the PowerShell script into the %Temp% directory as Talehmmedes.txt and runs it. The executed script accesses hxxp://194.59.30[.]90/Isocarbostyril.u32 to download Haartoppens.Eft into the %AppData% directory and run an additional PowerShell script.
Figure 4. Part of the Base64-decoded Talehmmedes.txt
The executed additional PowerShell script is also obfuscated to prevent others from analyzing it, and its main feature is loading a shell code in the wab.exe process.
Figure 5. Part of the decoded PowerShell script
The shellcode adds a registry to maintain persistence and accesses hxxp://194.59.30[.]90/mtzDpHLetMLypaaA173.bin to load additional data. Ultimately, Remcos RAT is executed.
Figure 6. Adding a registry – 1
Figure 7. Adding a registry – 2
3. Remcos RAT
The malware collects system information through hxxp://geoplugin[.]net/json.gp. It then saves the keylogging data as mifvghs.dat in the %Appdata% directory and sends the data to the C&C server.
Figure 8. Remcos RAT settings
Figure 9. Keylogging data
[C&C Servers]
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
Users should refrain from opening emails from unknown sources, and should not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macros may run automatically without any notification. Therefore, users should maintain the security level high to prevent any unintended features from being run.
Also, we recommend users update the anti-malware engine pattern to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious types of files introduced in the post using the aliases below.
[File Detection]
Downloader/VBS.Agent (2024.05.17.01)
Data/BIN.Encoded (2024.05.24.00)
[IOCs]
b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Remcos RAT Distributed as UUEncoding (UUE) File appeared first on ASEC BLOG.
Article Link: Remcos RAT Distributed as UUEncoding (UUE) File - ASEC BLOG