Exploiting Document Templates: Stego-Campaign Deploying Remcos RAT and Agent Tesla – CYFIRMA

MITRE Techniques

• [T1566] Phishing – The malicious .docx file is possibly distributed through spam or phishing emails. Quote: ‘The malicious .docx file is possibly distributed through spam or phishing emails.’
• [T1566.001] Spear phishing Attachment – The email body masquerades as a legitimate inquiry and the attachment is delivered. Quote: ‘The malicious.docx file is attached as an attachment. This email body employs a social engineering tactic by masquerading as a legitimate inquiry regarding an order.’
• [T1204] User Execution – Opening the document initiates the attack chain. Quote: ‘Upon opening the document, a multi-stage attack is initiated, involving the download and execution of scripts and the deployment of other set of malwares.’
• [T1059.001] PowerShell – PowerShell is used in the chain to download and execute payloads. Quote: ‘The VB script, leveraging PowerShell, downloads a JPG image concealing a .NET payload encoded in base64 using steganography.’
• [T1059.005] Visual Basic – Visual Basic and PowerShell scripts are used to build and execute URLs and fetch content. Quote: ‘Visual Basic and PowerShell scripts are employed to dynamically build and execute URLs, fetch content, and execute retrieved content.’
• [T1547.001] Registry Run Keys/Startup Folder – Registry Run key updated to persist with HZA.vbs. Quote: ‘The method updates the registry key value under “SOFTWAREMicrosoftWindowsCurrentVersionRun” to reference the newly created HZA.vbs file.’
• [T1055] Process Injection – Remcos RAT is injected into RegAsm.exe for evasion. Quote: ‘Remcos RAT is injected into the legitimate “RegAsm.exe” process, demonstrating sophisticated evasion techniques.’
• [T1027] Obfuscated Files or Information – Highly obfuscated scripts/binaries are used. Quote: ‘highly obfuscated scripts and binaries.’
• [T564.003] Hidden Window – Concealed PowerShell process is used to copy and execute components. Quote: ‘a concealed PowerShell process to copy the vbs file to the designated destination.’
• [T1001.0012] Steganography – Malicious code is embedded in image files via steganography. Quote: ‘utilization of steganography, a technique involving the embedding of malicious code or malware within image files.’
• [T1071] Application Layer Protocol – C2 communications are used to download and deploy further payloads. Quote: ‘connections to a Command and Control (C2) server for the download and deployment of Agent Tesla.’