Pierluigi Paganini
November 11, 2024
Fortinet’s FortiGuard Labs recently uncovered a phishing campaign spreading a new variant of the Remcos RAT.
Remcos is a commercial remote administration tool (RAT) that is sold online to allow buyers remote control over computers. Threat actors use Remcos to steal sensitive information and control victims’ computers for malicious activities.
The phishing messages contain a malicious Excel document disguised as an order file to trick the recipient into opening the document. Upon opening the file, the RCE vulnerability CVE-2017-0199 is exploited.
Since 2017, threat actors leveraged weaponized Rich Text File (RTF) documents exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.
Once the CVE-2017-0199 is exploited, it downloads an HTA file and executes it on the recipient’s device.
In this attack, MS Excel program accesses a shortened URL that redirects to a specific IP address, downloading an HTA (HTML Application) file. This file, executed by the Windows application mshta.exe via Excel’s DCOM components, initiates the attack chain.
The researchers noticed that the HTA file is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, in an attempt to evade detection.
The downloaded HTA file executed by mshta.exe runs PowerShell code to download a malicious EXE file, dllhost.exe, onto the victim’s device. Once executed, dllhost.exe extracts files into the %AppData% folder, then runs PowerShell to load and execute hidden malicious code. This PowerShell script reads and executes content from an extracted file, Aerognosy.Res, which invokes further commands. Obfuscated PowerShell code then copies dllhost.exe to %temp%, renames it to Vaccinerende.exe, hides the PowerShell process, loads malicious code in memory, and runs it using API calls like VirtualAlloc() and CallWindowProcA().
“The malicious code performs process hollowing to put itself into a newly created Vaccinerende.exe process (copied from dllhost.exe). To do this, it calls the API CreateProcessInternalW() with CreatFlags of CREATE_SUSPENDED (0x4), which will suspend the new process after it is created. It then calls some related APIs to transfer all the malicious code to the new process and run it.” reads the analysis published by Fortinet.
The malicious code uses process hollowing to stealthily download and execute the final payload, the Remcos RAT, granting attackers remote control over the infected system.
The malicious code maintains persistence by adding a new auto-run item to the system registry.
The malicious code downloads an encrypted Remcos RAT file from a remote server, using APIs such as InternetOpenA(), InternetOpenUrlA(), and InternetReadFile() to facilitate the download. After decryption, it loads a fileless version of the Remcos RAT directly into memory within the current process (Vaccinerende.exe). The RAT is then activated on a new thread by calling the undocumented API NtCreateThreadEx(), allowing it to run covertly without leaving a trace on disk.
Remcos RAT allows operators to gather multiple data from infected devices, including system metadata, and execute remote commands. The malware supports multiple commands to carry out malicious activities such as file harvesting, process and service management, registry editing, script execution, clipboard capture, altering the desktop, activating the camera and microphone, downloading more payloads, screen recording, and disabling keyboard or mouse input.
Fortinet’s report also includes Indicators of Compromise (IoCs) for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
