Behind the Refund: From GST Phishing to Remcos RAT Through a Multi-Stage .NET Infection Chain

Behind the Refund: From GST Phishing to Remcos RAT Through a Multi-Stage .NET Infection Chain
Seqrite Labs identified a GST-themed phishing campaign that impersonated the Government of India to deliver a multi-stage .NET malware chain ending in Remcos RAT. The operation used malicious archives, bitmap-based payload concealment, fileless execution, and dynamic DNS infrastructure to target Indian businesses and taxpayers. #RemcosRAT #GST #GovernmentofIndia #hathnetwork #synologyme

Keypoints

  • The campaign impersonated official Government of India GST notifications to lure victims into opening malicious attachments.
  • The phishing email used a spoofed sender address, a refund-related subject line, and a matching archive filename to appear legitimate.
  • The initial payload was a .NET executable embedded in a RAR archive and designed to launch a multi-stage loader chain.
  • The malware concealed next-stage payloads inside bitmap image pixels and reconstructed them in memory to avoid disk-based detection.
  • The third-stage loader deployed perfgurd.dll, used reflection and architecture-based method selection, and enabled fileless execution.
  • The final payload was Remcos RAT, which provided remote access, keylogging, credential harvesting, screenshot capture, and other post-compromise capabilities.
  • Infrastructure included randomized subdomains under aofmokighoig.hath.network, with dynamic DNS and rotating hosting used to support command-and-control activity.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The attackers delivered the malware through a malicious archive attached to a fake GST email (‘distributed a phishing email’ and ‘included an archive attachment named GST-Refund_July-26_AL27052600952P.rar’).
  • [T1204.002] User Execution: Malicious File – Infection depended on the recipient opening the attachment and interacting with the disguised file (‘persuade recipients to open malicious attachments’).
  • [T1059.001] PowerShell – A .ps1 script was created to launch the copied executable in hidden mode (‘generates a PowerShell script (.ps1) in the temporary directory’).
  • [T1129] Shared Modules – The loader used reflection to invoke methods from a loaded .NET assembly (‘loaded .NET assembly … executed via reflection’).
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence was established with a Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (‘creates a Run registry entry … that points to the PowerShell script’).
  • [T1036] Masquerading – The malware disguised files as GST-related documents and used a legitimate-looking filename (‘masquerading as a GST refund-related document’ and ‘Windows Health Optimizer Plus.dll’).
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – It used cmstp.exe to spawn the main process with elevated privileges (‘leverages cmstp.exe … to spawn the main process with elevated privileges’).
  • [T1027] Obfuscated Files or Information – Payloads were hidden in bitmap pixels and encoded data to hinder analysis (‘hides it inside the image by encoding the payload bytes into the RGB values’).
  • [T1027.013] Encrypted/Encoded File – The extracted payload was decrypted with a custom XOR routine (‘custom XOR-based decryption routine’).
  • [T1140] Deobfuscate/Decode Files or Information – The malware decoded hexadecimal strings and reconstructed byte streams from images (‘converted from hexadecimal to ASCII’ and ‘reconstructs the original byte stream’).
  • [T1218.003] System Binary Proxy Execution: CMSTP – The trusted cmstp.exe utility was abused to continue execution with elevated rights (‘abusing this trusted system binary’).
  • [T1620] Reflective Code Loading – Hidden assemblies were loaded directly from memory using Assembly.Load() (‘loaded entirely from memory without being written to disk’).
  • [T1055] Process Injection – The analysis indicates an injection-related operation and loader behavior intended to transfer execution covertly (‘perform an injection-related operation’ and ‘transfers execution to the next stage’).
  • [T1056.001] Keylogging – Remcos included keystroke monitoring (‘Keylogging and keystroke monitoring’).
  • [T1555] Credentials from Password Stores – The final payload performed credential harvesting (‘Credential harvesting’).
  • [T1082] System Information Discovery – The malware collected system information from the victim host (‘Collection of system and network information’).
  • [T1016] System Network Configuration Discovery – It gathered network-related details during reconnaissance (‘Collection of system and network information’).
  • [T1057] Process Discovery – The malware enumerated processes as part of reconnaissance (‘System reconnaissance’ and ‘Process and service manipulation’).
  • [T1083] File and Directory Discovery – The campaign used filesystem-related discovery and management capabilities (‘File system management’).
  • [T1113] Screen Capture – Remcos could capture screenshots (‘Screenshot capture’).
  • [T1005] Data from Local System – It collected local data from the host (‘Collection of system and network information’).
  • [T1039] Data from Network Shared Drive – The malware included broader file and system collection behavior consistent with accessing stored data (‘File system management’ and ‘Deployment of additional payloads’).
  • [T1071.001] Web Protocols – The malware communicated with attacker-controlled C2 infrastructure using network-based protocols (‘Communication with attacker-controlled Command-and-Control (C2) infrastructure’).
  • [T1105] Ingress Tool Transfer – Additional payloads could be deployed to the victim system (‘Deployment of additional payloads’).
  • [T1021] Remote Services – Remcos provided remote desktop functionality and remote access to the host (‘Remote desktop functionality’ and ‘Remote command execution’).
  • [T1489] Service Stop – The malware included process and service manipulation, indicating potential disruption of services (‘Process and service manipulation’).

Indicators of Compromise

  • [Email address] spoofed government sender used in phishing – [email protected]
  • [File names] malicious attachment and extracted payloads – GST-Refund_July-26_AL27052600952P.rar, GST-Refund_July-26_AL27052600952P.com, Windows Health Optimizer Plus.dll, and other staged files
  • [Hash / malware name] identified sample and final payload reference – 3757dccb2adae65ccdf8d5e5c948b927, RemcosRAT
  • [Hash] second-stage loader / DLL artifact – 7842D12D9E37C75076133BE5B9904CB2, CC34D9760394104AD47877A0D57E9C63
  • [Hash] additional associated artifacts – 07d7d21c2c0920d198efb9ea54900a80, 20476F3A51DFDDF3DC0603FC7858D894, and 2a34bdd25b404737ee5d3b52bf0b3b70
  • [C2 IP] command-and-control infrastructure – 185.242.4.122
  • [Domain / subdomain] dynamic DNS infrastructure used for C2 – aofmokighoig.hath.network, synology.me


Read more: https://www.seqrite.com/blog/behind-the-refund-from-gst-phishing-to-remcos-rat-through-a-multi-stage-net-infection-chain/