Threat Research

Remcos RAT Disguised as UUEncoding File

Ahnlab

Remcos RAT is being distributed via UUEncoding (UUE) files that are compressed with Power Archiver and delivered through phishing emails. The campaign uses a UUE-encoded VBS downloader to fetch and execute PowerShell scripts, load Remcos, and exfiltrate keystrokes and system data to C2 servers. #RemcosRAT #UUEncoding #VBScript #PowerShell #DuckDNS #HaartoppensEft #Isocarbostyril

Keypoints

  • The Remcos RAT is distributed via UUEncoding (UUE) files compressed using Power Archiver.
  • Phishing emails are used to deliver a VBS script encoded with UUE: “Recipients must be vigilant as phishing emails are disguised as emails about importing/exporting shipments or quotations.”
  • The UUE file contains an obfuscated VBS script intended to bypass detection.
  • The VBS downloader saves a PowerShell script in Temp (Talehmmedes.txt) and downloads Haartoppens.Eft from a remote server to AppData, then runs another PowerShell script.
  • The secondary PowerShell script is obfuscated and loads shell code into wab.exe, with registry persistence added and further data loaded from a remote binary.
  • Remcos RAT collects system information (via geoplugin.net/json.gp), stores keystrokes (mifvghs.dat) in AppData, and transmits data to C2 servers.
  • Observed C2 domains/servers include duckdns.org entries, and defenders are advised to block macros, raise security settings, and keep anti-malware definitions up to date.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Recipients targeted by a phishing email disguised as shipments/quotations. ‘phishing emails are disguised as emails about importing/exporting shipments or quotations’
  • [T1059.005] VBScript – The threat actor distributes a VBS script encoded using the UUE method. ‘The threat actor distributes a VBS script encoded using the UUE method’
  • [T1027] Obfuscated/Encrypted Files and Information – The VBS script is obfuscated to hinder analysis. ‘obfuscated VBS script’ and hints of bypassing detection via UUE
  • [T1105] Ingress Tool Transfer – The downloader retrieves payloads from remote hosts (Haartoppens.Eft) for execution. ‘to download Haartoppens.Eft into the %AppData% directory’
  • [T1059.001] PowerShell – PowerShell scripts are downloaded and executed as part of the chain. ‘PowerShell script into the %Temp% directory as Talehmmedes.txt and runs it’
  • [T1547.001] Registry Run Keys/Startup Folder – Shellcode adds a registry entry to maintain persistence. ‘adds a registry to maintain persistence’
  • [T1056.001] Keylogging – Remcos collects keystrokes and saves them to a data file. ‘saves the keylogging data as mifvghs.dat’
  • [T1041] Exfiltration Over C2 Channel – Data is sent to the C2 server. ‘sends the data to the C&C server’
  • [T1082] System Information Discovery – The malware gathers system information from geoplugin.net. ‘collects system information through hxxp://geoplugin[.]net/json.gp’

Indicators of Compromise

  • [File Hash] context – b066e5f4a0f2809924becfffa62ddd3b, 7e6ca4b3c4d1158f5e92f55fa9742601, and 2 more hashes
  • [File Name] context – Invoice_order_new.uue, Invoice_order_new.vbs
  • [URL/Domain] context – hxxp://194.59.30[.]90/Isocarbostyril.u32, hxxp://194.59.30[.]90/mtzDpHLetMLypaaA173.bin
  • [Domain] context – frabyst44habvous1.duckdns[.]org, frabyst44habvous2.duckdns[.]org

Read more: https://asec.ahnlab.com/en/66463/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint