Threat Research

Remcos Malware Campaign

Securonix
Remcos Malware Campaign

Remcos malware campaigns have remained highly active, utilizing sophisticated techniques such as NT namespace path parsing to create spoofed Windows system directories and evade detection. The malware spreads mainly through phishing emails containing malicious shortcut files, enabling attackers to gain persistent control over infected systems. #Remcos #NTNamespace #PhishingEmails #Esentutl

Keypoints

  • Remcos malware uses phishing emails with malicious shortcut (.lnk) files embedded in compressed archives to infect victims.
  • The malware drops a disguised executable (.pif) file that creates fake Windows system folders using NT namespace prefix “?” and an extra space in folder names.
  • Batch files with heavy obfuscation and non-ASCII characters are used to evade antivirus detection and maintain persistence through scheduled tasks.
  • Remcos modifies the PromptOnSecureDesktop registry key to weaken Windows User Account Control (UAC) prompting for higher privilege execution.
  • Process injection is performed into legitimate Windows processes like SndVol.exe to hide malicious activity.
  • The malware communicates with C2 servers hosted on OVHcloud using unusual ports for command and control operations.
  • Forcepoint security solutions detect and block these attack stages, including malicious PDFs, dropper files, and C2 domains.

MITRE Techniques

  • [T1132] Data Encoding – The PowerShell script downloads a .dat file containing an EXE encoded in Base64 and decodes it before execution (‘PowerShell script downloads a .dat file containing an EXE in Base64 format, decodes it’).
  • [T1064] Scripting – Embedded PowerShell code within the .lnk file is used to execute malicious commands (‘LNK file contains embedded PowerShell code’).
  • [T1053] Scheduled Task/Job – Scheduled tasks are created to maintain persistence, running .URL shortcut files (‘schtasks /create /sc minute /mo 10 /tn “Nsepijto” /tr C:ProgramDataNsepijto.url’).
  • [T1055] Process Injection – The main executable injects code into the legitimate Windows process SndVol.exe to evade detection (‘Remcos malware performs process injection in legitimate windows system file SndVol.exe’).
  • [T1218] Signed Binary Proxy Execution – Using native Windows utility esentutl to copy and rename cmd.exe for execution (‘The batch tool leverages the native Windows utility esentutl to copy cmd.exe to an unusual location under a new name’).
  • [T1543] Create or Modify System Process – Batch files create spoofed directories and modify registry values to weaken UAC and facilitate stealthy execution (‘It edits the PromptOnSecureDesktop registry value, setting it to 1’).
  • [T1071] Application Layer Protocol – Malware communicates with C2 domains using an unusual port for command and control communications (‘Connects to a C2 server domain hosted on OVHcloud using port 32583’).

Indicators of Compromise

  • [Hash] Key malicious file hashes – 25591e9139b1c93e10ee2f22b86abb6da98785db (TAR), d14ffa3b95ae110794c1932581a0c3a0030521d4 (LNK), 647fa7a36ec8d553c7b431acfb74cb55b475fa0e (EXE), bc7172dec0b12b05f2247bd5e17751eb33474d4e (BAT), and others (4 more BAT hashes).
  • [Domain] C2 domain for command control – 5y9pfu.missileries-fenagle.yelocom.com (hosted on OVHcloud).
  • [URL] Malicious download URL – siraco.net/acheck3.dat used by PowerShell scripts to download payload files.

Read more: https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint