Seqrite Labs identified a GST-themed phishing campaign that impersonated the Government of India to deliver a multi-stage .NET malware chain ending in Remcos RAT. The operation used malicious archives, bitmap-based payload concealment, fileless execution, and dynamic DNS infrastructure to target Indian businesses and taxpayers. #RemcosRAT #GST #GovernmentofIndia #hathnetwork #synologyme
Keypoints
- The campaign impersonated official Government of India GST notifications to lure victims into opening malicious attachments.
- The phishing email used a spoofed sender address, a refund-related subject line, and a matching archive filename to appear legitimate.
- The initial payload was a .NET executable embedded in a RAR archive and designed to launch a multi-stage loader chain.
- The malware concealed next-stage payloads inside bitmap image pixels and reconstructed them in memory to avoid disk-based detection.
- The third-stage loader deployed perfgurd.dll, used reflection and architecture-based method selection, and enabled fileless execution.
- The final payload was Remcos RAT, which provided remote access, keylogging, credential harvesting, screenshot capture, and other post-compromise capabilities.
- Infrastructure included randomized subdomains under aofmokighoig.hath.network, with dynamic DNS and rotating hosting used to support command-and-control activity.
MITRE Techniques
- [T1566.001] Spearphishing Attachment â The attackers delivered the malware through a malicious archive attached to a fake GST email (âdistributed a phishing emailâ and âincluded an archive attachment named GST-Refund_July-26_AL27052600952P.rarâ).
- [T1204.002] User Execution: Malicious File â Infection depended on the recipient opening the attachment and interacting with the disguised file (âpersuade recipients to open malicious attachmentsâ).
- [T1059.001] PowerShell â A .ps1 script was created to launch the copied executable in hidden mode (âgenerates a PowerShell script (.ps1) in the temporary directoryâ).
- [T1129] Shared Modules â The loader used reflection to invoke methods from a loaded .NET assembly (âloaded .NET assembly ⌠executed via reflectionâ).
- [T1547.001] Registry Run Keys / Startup Folder â Persistence was established with a Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (âcreates a Run registry entry ⌠that points to the PowerShell scriptâ).
- [T1036] Masquerading â The malware disguised files as GST-related documents and used a legitimate-looking filename (âmasquerading as a GST refund-related documentâ and âWindows Health Optimizer Plus.dllâ).
- [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control â It used cmstp.exe to spawn the main process with elevated privileges (âleverages cmstp.exe ⌠to spawn the main process with elevated privilegesâ).
- [T1027] Obfuscated Files or Information â Payloads were hidden in bitmap pixels and encoded data to hinder analysis (âhides it inside the image by encoding the payload bytes into the RGB valuesâ).
- [T1027.013] Encrypted/Encoded File â The extracted payload was decrypted with a custom XOR routine (âcustom XOR-based decryption routineâ).
- [T1140] Deobfuscate/Decode Files or Information â The malware decoded hexadecimal strings and reconstructed byte streams from images (âconverted from hexadecimal to ASCIIâ and âreconstructs the original byte streamâ).
- [T1218.003] System Binary Proxy Execution: CMSTP â The trusted cmstp.exe utility was abused to continue execution with elevated rights (âabusing this trusted system binaryâ).
- [T1620] Reflective Code Loading â Hidden assemblies were loaded directly from memory using Assembly.Load() (âloaded entirely from memory without being written to diskâ).
- [T1055] Process Injection â The analysis indicates an injection-related operation and loader behavior intended to transfer execution covertly (âperform an injection-related operationâ and âtransfers execution to the next stageâ).
- [T1056.001] Keylogging â Remcos included keystroke monitoring (âKeylogging and keystroke monitoringâ).
- [T1555] Credentials from Password Stores â The final payload performed credential harvesting (âCredential harvestingâ).
- [T1082] System Information Discovery â The malware collected system information from the victim host (âCollection of system and network informationâ).
- [T1016] System Network Configuration Discovery â It gathered network-related details during reconnaissance (âCollection of system and network informationâ).
- [T1057] Process Discovery â The malware enumerated processes as part of reconnaissance (âSystem reconnaissanceâ and âProcess and service manipulationâ).
- [T1083] File and Directory Discovery â The campaign used filesystem-related discovery and management capabilities (âFile system managementâ).
- [T1113] Screen Capture â Remcos could capture screenshots (âScreenshot captureâ).
- [T1005] Data from Local System â It collected local data from the host (âCollection of system and network informationâ).
- [T1039] Data from Network Shared Drive â The malware included broader file and system collection behavior consistent with accessing stored data (âFile system managementâ and âDeployment of additional payloadsâ).
- [T1071.001] Web Protocols â The malware communicated with attacker-controlled C2 infrastructure using network-based protocols (âCommunication with attacker-controlled Command-and-Control (C2) infrastructureâ).
- [T1105] Ingress Tool Transfer â Additional payloads could be deployed to the victim system (âDeployment of additional payloadsâ).
- [T1021] Remote Services â Remcos provided remote desktop functionality and remote access to the host (âRemote desktop functionalityâ and âRemote command executionâ).
- [T1489] Service Stop â The malware included process and service manipulation, indicating potential disruption of services (âProcess and service manipulationâ).
Indicators of Compromise
- [Email address] spoofed government sender used in phishing â [email protected]
- [File names] malicious attachment and extracted payloads â GST-Refund_July-26_AL27052600952P.rar, GST-Refund_July-26_AL27052600952P.com, Windows Health Optimizer Plus.dll, and other staged files
- [Hash / malware name] identified sample and final payload reference â 3757dccb2adae65ccdf8d5e5c948b927, RemcosRAT
- [Hash] second-stage loader / DLL artifact â 7842D12D9E37C75076133BE5B9904CB2, CC34D9760394104AD47877A0D57E9C63
- [Hash] additional associated artifacts â 07d7d21c2c0920d198efb9ea54900a80, 20476F3A51DFDDF3DC0603FC7858D894, and 2a34bdd25b404737ee5d3b52bf0b3b70
- [C2 IP] command-and-control infrastructure â 185.242.4.122
- [Domain / subdomain] dynamic DNS infrastructure used for C2 â aofmokighoig.hath.network, synology.me