Threat Research

From OnlyDcRatFans to RemcosRAT

Securonix

eSentire’s TRU details a January 2024, multi-stage threat starting with a lure ZIP named IMG_Mia_khlifa delivered via a Discord CDN, containing AnyDesk and a VBS file that leads to a DcRat drop. The campaign escalates to RemcosRAT with dynwrapx.dll, injection into winhlp32.exe, and a plugin-based load/run chain, highlighting a layered attack and the TRU’s recommendations for security awareness and configuration hardening. #DcRAT #RemcosRAT #MoreEggs #Kaseya #Discord #pasteee #AnyDesk #winhlp32

Keypoints

  • In January 2024, a suspicious ZIP named “IMG_Mia_khlifa” (MD5: 63ad6131e2563a707353b4a9bdb0aa8b) delivered AnyDesk and a VBS file (“winrm.vbs”).
  • The ZIP was delivered via a Discord CDN link, showing misuse of popular platforms to distribute malware.
  • The retrieved VBS file pulls another VBS from paste.ee, with the binary obfuscated by reversed hex order and string replacement.
  • The binary is DcRat (MD5: bac8861baa346f0ce06c87c33284d478), with prior TRU reporting on actors using adult content to deliver DcRat (June 2023).
  • The DcRat payload supports dynamic plugin loading (SendFile) and uses a registry-based mechanism to register/save plugins for later execution.
  • The final payload (“aw.vbs”) drops RemcosRAT (MD5: 63a2dcb487d0d875688f4e4d5251a93b) and dynwrapx.dll (MD5: e0b8dfd17b8e7de760b273d18e58b142), with shellcode that uses ROT13 API hashing and injects into winhlp32.exe for persistence.
  • TRU recommendations include phishing/Security Awareness Training, restricting script execution (e.g., .vbs) via Group Policy or Attack Surface Reduction rules, and general endpoint protection against malware.

MITRE Techniques

  • [T1204] User Execution – The attack uses enticing file names to lure users into running a malicious file (e.g., “IMG_Mia_khlifa”). – “enticing or misleading file names like ‘IMG_Mia_khlifa’ for delivering malware is a common tactic.”
  • [T1105] Ingress Tool Transfer – The ZIP archive is delivered via the Discord CDN link and the tool/data is retrieved from remote sources. – “The ZIP archive was delivered via the Discord CDN link.”
  • [T1059.005] VBScript – winrm.vbs executes another VBS file hosted on paste[.]ee. – “the ‘winrm.vbs’ file executes another VBS file hosted on paste[.]ee.”
  • [T1112] Modify Registry – The plugin data is saved to and checked in the registry for persistence. – “checks if a plugin is already registered in the system’s registry, and if not, it adds this message pack to a list for later processing and sends a request back to the server to send the plugin data.”
  • [T1027] Obfuscated/Compressed Files and Information – The retrieved binary is obfuscated, with reversed hex order and string replacement. – “binary that is presented in the reversed hexadecimal order and string replacement obfuscations.”
  • [T1027] Obfuscated/Compressed Files and Information – The plugin is GZIP-compressed and stored in the registry. – “The plugin is GZIP-compressed and stored in the registry.”
  • [T1055] Process Injection – RemcosRAT is injected into the winhlp32.exe process to run in the context of a legitimate process. – “RemcosRAT gets injected into winhlp32.exe process.”

Indicators of Compromise

  • [File Hash] – 63ad6131e2563a707353b4a9bdb0aa8b, 7a533f45f8b30d8bbdfd589fe06c48c2, bac8861baa346f0ce06c87c33284d478, cb878d728a452beb1af862903c49bbea, 63a2dcb487d0d875688f4e4d5251a93b, e0b8dfd17b8e7de760b273d18e58b142 (and 2 more hashes)
  • [File Names] – IMG_Mia_khlifa.zip, winrm.vbs, aw.vbs
  • [Domains] – paste.ee, Discord CDN (delivery channel)
  • [IP] – 141.95.84.40 (host in configuration, shown as 141.95.84[.]40)
  • [Ports] – 6262
  • [Process] – winhlp32.exe (targeted process for injection)

Read more: https://www.esentire.com/blog/from-onlydcratfans-to-remcosrat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint