Windows batch files can hide and orchestrate multiple payloads inside comments, executed via a PowerShell loader, revealing a layered attack chain. The analysis covers anti-sandbox checks, staged payloads decrypted by a Tak Tak DLL, and a Remcos-related C2 on mehmetemreural.net.
#Remcos #TakTak #CasPol #RegAsm #PowerShell #mehmetemreural.net
#Remcos #TakTak #CasPol #RegAsm #PowerShell #mehmetemreural.net
Keypoints
- The batch file embeds multiple payloads in comments and reconstructs them at runtime rather than storing a single executable outright.
- A copy of the PowerShell interpreter is created in the malware directory to conceal the executed PowerShell script.
- The payloads are labeled with IDs and a sorting key, enabling reconstruction by filtering, sorting, and joining lines.
- The first stage extracts and runs a PowerShell payload, which includes an anti-sandbox check to detect virtualized analysis.
- The final payload connects to a C2 server at mehmetemreural.net over port 443 (not HTTPS), linking this technique to a Remcos-like campaign.
<liExtracted payloads are encrypted and decoded via a DLL-provided function (Tak Tak); tool names are also encrypted or reversed (e.g., CasPol.exe, RegAsm.exe).
MITRE Techniques
- [T1059.001] PowerShell – The batch file invokes PowerShell to execute embedded payloads. Quote: “powershell.exe … -Command “$eqvEOQH = [System.IO.File]::ReadAllText(‘%~f0’).Split([Environment]::NewLine); …”
- [T1497] Virtualization/Sandbox Evasion – Anti-sandbox technique to detect sandbox behavior by sleep timing. Quote: “First, the script implements a simple but effective anti-sandbox technique: It tries to detect if a sandbox is trying to alter the sleep() calls.”
- [T1140] Deobfuscate/Decode Files or Information – Payloads are encrypted and decrypted via a DLL routine. Quote: “Extracted payloads are encrypted. They are processed via a function provided by a DLL called ‘Tak Tak’.”
- [T1027] Obfuscated/Compressed Files and Information – Encryption and reversal of strings to hide tool names. Quote: “Some tool names are also encrypted and the strings are reversed: … contains ‘C:WindowsMicrosoft.NETFrameworkv4.0.30319CasPol.exe’.”
- [T1564] Hide Artifacts – Copy of the PowerShell interpreter is placed in the malware directory to hide the PS script. Quote: “a copy of the PowerShell interpreter is created in the current malware directory (to not reveal the presence of a PowerShell script being executed).”
- [T1071.001] Web Protocols – C2 communication to mehmetemreural.net over TCP/443 (not HTTPS). Quote: “The malware connects to its C2 server: mehmetemreural.net. It connects through port TCP/443 but it’s not HTTPS.”
Indicators of Compromise
- [Domain] mehmetemreural.net – C2 domain used for command and control communications.
- [File] C:WindowsMicrosoft.NETFrameworkv4.0.30319CasPol.exe – Tool name extracted from obfuscated strings.
- [File] C:WindowsMicrosoft.NETFrameworkv4.0.30319RegAsm.exe – Another tool name extracted from obfuscated strings.
Read more: https://isc.sans.edu/diary/rss/30592