This article explains how threat actors use obfuscation to hinder detection and analysis, focusing on a VBS downloader for Remcos RAT that hides its payload with repeated function definitions. It also notes that removing duplicate lines can aid quick analysis, revealing a Base64-encoded PowerShell script used to download Remcos.
Keypoints
- Threat actors frequently employ obfuscation to evade detection and analysis.
- Obfuscation techniques mentioned include encoding, encryption, and garbage code.
- A specific case used a VBS script as a downloader for the Remcos RAT with heavy duplication and garbage code.
- The VBS sample contained 143 identical copies of one function and 119 identical copies of another, hiding the payload.
- Removing duplicate lines can help analysts identify the actual payload quickly, even in very long scripts.
- The final payload was a Base64-encoded PowerShell script designed to download the Remcos RAT.
MITRE Techniques
- [T1059] Command and Scripting Interpreter β Brief description of how it was used. Quote relevant content using bracket (βUtilization of VBS scripts to execute commands on the target system.β)
- [T1027] Obfuscated Files or Information β Brief description of how it was used. Quote relevant content using bracket (βUse of repeated function definitions and garbage code to obfuscate the actual payload.β)
- [T1132] Data Encoding β Brief description of how it was used. Quote relevant content using bracket (βBase64 encoding of the PowerShell script within the VBS file.β)
Indicators of Compromise
- [MD5] IoC β 5f904f7f145d890eb9504aa4ccf1d050
- [SHA1] IoC β 5638789e500e43c4f5766ba0e07114e26c5f61f9
- [SHA256] IoC β 77c2fb08ad6a1ce923022b60b8402f55adf65d65ca50236dfb94b4172e2c1513
- [URL] IoC β ftp[:]//desckvbrat1@ftp[.]desckvbrat[.]com[.]br/Upcrypter/02/DLL01.txt
- [URL] IoC β hxxps[:]//sharetext[.]me/raw/d3anodwv1n
Read more: https://isc.sans.edu/diary/rss/31144