Remcos RAT Being Distributed via Webhards

While monitoring the distribution sources of malware in South Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the Remcos RAT malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.

Attackers normally use easily obtainable malware such as njRAT and UDP RAT, and disguise them as legitimate programs such as games or adult content for distribution. Similar cases were introduced in the previous ASEC blogs multiple times:

• UDP RAT Malware Being Distributed via Webhards
• njRAT Being Distributed through Webhards and Torrents
• njRAT Malware Distributed via Major Korean Webhard

Figure 1. Uploaded posts

Figure 2. Malware disguised as an adult game being distributed via webhards

As shown in Figure 1, malware are being distributed via multiple games using the same method. The posts all have a guide that tells users to run the Game.exe file.

When the file is decompressed, the Game.exe file is present. Although it looks like a regular game launcher, the actual dll used to run the game exists separately, and the malicious VBS scripts are executed with the game file when you run Game.exe.

Figure 3. Malware disguised as a regular Game.exe file

Figure 4. Routine to execute malicious VBS scripts

Figure 5. Malicious files existing in the www\js\plugins folder

As shown in Figure 5, malware with malicious VBS exist in the www\js\plugins folder. What is ultimately executed is the ffmpeg.exe malware. The infection flow of the malware when it is executed is shown below.

Figure 6. Infection flow of malware

When ffmpeg.exe is executed, the “sexyz” string is split to extract the encrypted binary and the Key value from test.jpg. They are then injected into explorer.exe.

Figure 7. Parsing encrypted malware from test.jpg

Figure 8. explorer.exe injection logic

The injected malware downloads Remcos RAT through the C&C server shown in Figure 9 and attempts to perform additional behaviors by injecting it to ServiceModelReg.exe.

Figure 9. Logic used to download Remcos RAT

Figure 10. Remcos RAT main

As shown in the example, users need to take caution as malware are being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites.

[File Detection]
Trojan/Win.Injector.R630725 (2024.01.08.02)
Trojan/Win.Injector.R630726 (2024.01.08.02)
Trojan/VBS.Runner.SC195782 (2024.01.08.02)
Trojan/VBS.Runner.SC195783 (2024.01.08.02)
Trojan/BAT.Agent.SC195781 (2024.01.08.02)
Trojan/BAT.Agent.SC195785 (2024.01.08.02)
Trojan/VBS.Runner.SC195786 (2024.01.08.02)
Trojan/VBS.Runner.SC195787 (2024.01.08.02)
Trojan/VBS.Runner.SC195784 (2024.01.08.02)

[IOC]
Files
– ffmpeg.exe : 00bfd32843a34abf0b2fb26a395ed2a4
– ffmpeg.dll : 4d04070dee9b27afc174016b3648b06c
– test.jpg : 5193669c2968980c0e88a87fd4bf61c4
– passage.vbs : 2e6796377e20a6ef4b5e85a4ebbe614d
– passage2.vbs : b05de31c9c254eea1be1dc4c5a38672c
– passage.bat : 5574647e6e64cee7986478a31eecbae0
– passage2.bat : 629c21b1eee4e65eb38809302ae029f6
– space.vbs : ee198ab059b0e180757e543ab6e02bed
– sky.vbs : 2f6768c1e17e63f67e173838348dee58
– road.vbs : 36aa180dc652faf6da2d68ec4dac8ddf

C&C Servers
– kyochonchlcken.com/share/Favela.r6map
– kyochonchlcken.com/share/1.exe
– kyochonchlcken.com/share/BankG.r6map

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Remcos RAT Being Distributed via Webhards appeared first on ASEC BLOG.

Article Link: Remcos RAT Being Distributed via Webhards - ASEC BLOG