Beware of Phishing Emails Disguised as Money Transfer Confirmations

Beware of Phishing Emails Disguised as Money Transfer Confirmations
ASEC reported phishing emails impersonating employees of a Korean company and luring recipients into opening a malicious XLS file that uses CVE-2017-0199 to fetch and run an HTA file. The infection chain then deploys an obfuscated PowerShell loader, a steganographic PNG payload, and finally Remcos RAT for remote control and data theft. #AhnLab #CVE-2017-0199 #RemcosRAT

Keypoints

  • Phishing emails were disguised as payment confirmation notices and impersonated employees of a specific company in Korea.
  • The attached malicious XLS file displayed a legitimate-looking payment confirmation slip as a decoy to reduce suspicion.
  • The document abused CVE-2017-0199, an OLE2Link-based Microsoft Office RCE flaw, to download an HTA file from a C2 server.
  • The HTA file used WMI Win32_Process.Create() to launch an obfuscated PowerShell script in the background.
  • The PowerShell script downloaded a PNG file with steganographically embedded data and extracted a Base64-encoded .NET loader.
  • The final payload was Remcos RAT, which can execute remote commands and collect information through keylogging, screen capture, and file manipulation.
  • The article also provided defense guidance, including verifying senders, checking links and attachments, and confirming official URLs before entering sensitive information.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The attackers sent payment-confirmation emails with a malicious XLS attachment to lure victims into opening it (’emails disguise themselves as payment confirmation notices’ and ‘opening a malicious XLS file attached to the email’).
  • [T1203] Exploitation for Client Execution – The XLS document exploited CVE-2017-0199 to trigger code execution when opened (‘contains the CVE-2017-0199 vulnerability’ and ‘when a user opens the document, it automatically accesses an external URL to download and execute additional Malicious Files’).
  • [T1027] Obfuscated Files or Information – The HTA and PowerShell content were obfuscated to conceal malicious behavior (‘obfuscated PowerShell script’ and ‘the .NET loader-type malware—encoded in Base64’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – A PowerShell script was executed to download and run the next-stage payloads (‘uses the Win32_Process.Create() method of WMI to execute an obfuscated PowerShell script’).
  • [T1047] Windows Management Instrumentation – WMI Win32_Process.Create() was used to start PowerShell in the background (‘uses the Win32_Process.Create() method of WMI’).
  • [T1105] Ingress Tool Transfer – The malware downloaded the HTA, PNG payload, and Remcos RAT from remote C2 servers (‘downloads and executes a malicious HTA file’ and ‘downloads a steganographically embedded PNG file’).
  • [T1027.003] Steganography – Malicious data was hidden inside a PNG file and later extracted by the loader (‘a steganographically embedded PNG file’ and ‘Base64 data embedded in a PNG file using steganography’).
  • [T1140] Deobfuscate/Decode Files or Information – The loader extracted and decrypted encoded content from the PNG and Base64 data (‘extracts a .NET loader-type malware—encoded in Base64’ and ‘decrypted contents of the executed PowerShell script’).
  • [T1106] Native API – The HTA invoked a Windows process creation method to run code (‘uses the Win32_Process.Create() method’).
  • [T1090] Proxy – The malware used intermediate infrastructure and multiple C2 locations to reach payloads (‘downloads … from an additional C2 server’ and ‘from which it will download the Remcos RAT’).
  • [T1055] Process Injection – The article states the loader ‘loads it into memory’ and executes it, indicating in-memory execution (‘loads it into memory, and executes it’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and payload retrieval occurred over HTTP/HTTPS links (‘Hxxp://144.172.104[.]196…’ and ‘https[:]//blue-paper-f69f[.]acrypters[.]workers[.]dev/…’).
  • [T1219] Remote Access Software – The final payload was Remcos RAT, which provides remote command execution and surveillance capabilities (‘Ultimately, the Remcos RAT is malware that receives and executes remote commands’).
  • [T1113] Screen Capture – Remcos RAT collected information using screen capture (‘collects system and user information through various functions such as keylogging, screen capture’).
  • [T1056.001] Keylogging – Remcos RAT included keylogging functionality (‘collects system and user information through various functions such as keylogging’).
  • [T1005] Data from Local System – The malware performed file manipulation and information collection on the infected system (‘file manipulation’ and ‘collects system and user information’).

Indicators of Compromise

  • [MD5 hashes] Samples associated with the malicious documents, scripts, or payloads – 1ae66686d91145b0707c32ff43664f70, 2a0f1960fb6338537c3a366daaa28abb, and 2 more hashes
  • [URLs] HTA and PNG download locations used in the infection chain – http://144.172.104.196/35/smallbackpackcomingfromthebestplaces.hta, https://blue-paper-f69f.acrypters.workers.dev/FTM0-40PO-AO28-G98E/img_qiql6d.png
  • [IP address] C2 infrastructure hosting the HTA and RAT-related downloads – 144.172.104.196
  • [Domain] Remcos RAT C2 server – Guhudeolokghguhumandeylikebroemdfhhfhsjj.duckdns.org:4087
  • [File names] Malicious lure and payload files – Smallbackpackcomingfromthebestplaces.Hta, img_qiql6d.Png


Read more: https://asec.ahnlab.com/en/94432/