ASEC reported phishing emails impersonating employees of a Korean company and luring recipients into opening a malicious XLS file that uses CVE-2017-0199 to fetch and run an HTA file. The infection chain then deploys an obfuscated PowerShell loader, a steganographic PNG payload, and finally Remcos RAT for remote control and data theft. #AhnLab #CVE-2017-0199 #RemcosRAT
Keypoints
- Phishing emails were disguised as payment confirmation notices and impersonated employees of a specific company in Korea.
- The attached malicious XLS file displayed a legitimate-looking payment confirmation slip as a decoy to reduce suspicion.
- The document abused CVE-2017-0199, an OLE2Link-based Microsoft Office RCE flaw, to download an HTA file from a C2 server.
- The HTA file used WMI Win32_Process.Create() to launch an obfuscated PowerShell script in the background.
- The PowerShell script downloaded a PNG file with steganographically embedded data and extracted a Base64-encoded .NET loader.
- The final payload was Remcos RAT, which can execute remote commands and collect information through keylogging, screen capture, and file manipulation.
- The article also provided defense guidance, including verifying senders, checking links and attachments, and confirming official URLs before entering sensitive information.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment â The attackers sent payment-confirmation emails with a malicious XLS attachment to lure victims into opening it (âemails disguise themselves as payment confirmation noticesâ and âopening a malicious XLS file attached to the emailâ).
- [T1203] Exploitation for Client Execution â The XLS document exploited CVE-2017-0199 to trigger code execution when opened (âcontains the CVE-2017-0199 vulnerabilityâ and âwhen a user opens the document, it automatically accesses an external URL to download and execute additional Malicious Filesâ).
- [T1027] Obfuscated Files or Information â The HTA and PowerShell content were obfuscated to conceal malicious behavior (âobfuscated PowerShell scriptâ and âthe .NET loader-type malwareâencoded in Base64â).
- [T1059.001] Command and Scripting Interpreter: PowerShell â A PowerShell script was executed to download and run the next-stage payloads (âuses the Win32_Process.Create() method of WMI to execute an obfuscated PowerShell scriptâ).
- [T1047] Windows Management Instrumentation â WMI Win32_Process.Create() was used to start PowerShell in the background (âuses the Win32_Process.Create() method of WMIâ).
- [T1105] Ingress Tool Transfer â The malware downloaded the HTA, PNG payload, and Remcos RAT from remote C2 servers (âdownloads and executes a malicious HTA fileâ and âdownloads a steganographically embedded PNG fileâ).
- [T1027.003] Steganography â Malicious data was hidden inside a PNG file and later extracted by the loader (âa steganographically embedded PNG fileâ and âBase64 data embedded in a PNG file using steganographyâ).
- [T1140] Deobfuscate/Decode Files or Information â The loader extracted and decrypted encoded content from the PNG and Base64 data (âextracts a .NET loader-type malwareâencoded in Base64â and âdecrypted contents of the executed PowerShell scriptâ).
- [T1106] Native API â The HTA invoked a Windows process creation method to run code (âuses the Win32_Process.Create() methodâ).
- [T1090] Proxy â The malware used intermediate infrastructure and multiple C2 locations to reach payloads (âdownloads ⌠from an additional C2 serverâ and âfrom which it will download the Remcos RATâ).
- [T1055] Process Injection â The article states the loader âloads it into memoryâ and executes it, indicating in-memory execution (âloads it into memory, and executes itâ).
- [T1071.001] Application Layer Protocol: Web Protocols â C2 and payload retrieval occurred over HTTP/HTTPS links (âHxxp://144.172.104[.]196âŚâ and âhttps[:]//blue-paper-f69f[.]acrypters[.]workers[.]dev/âŚâ).
- [T1219] Remote Access Software â The final payload was Remcos RAT, which provides remote command execution and surveillance capabilities (âUltimately, the Remcos RAT is malware that receives and executes remote commandsâ).
- [T1113] Screen Capture â Remcos RAT collected information using screen capture (âcollects system and user information through various functions such as keylogging, screen captureâ).
- [T1056.001] Keylogging â Remcos RAT included keylogging functionality (âcollects system and user information through various functions such as keyloggingâ).
- [T1005] Data from Local System â The malware performed file manipulation and information collection on the infected system (âfile manipulationâ and âcollects system and user informationâ).
Indicators of Compromise
- [MD5 hashes] Samples associated with the malicious documents, scripts, or payloads â 1ae66686d91145b0707c32ff43664f70, 2a0f1960fb6338537c3a366daaa28abb, and 2 more hashes
- [URLs] HTA and PNG download locations used in the infection chain â http://144.172.104.196/35/smallbackpackcomingfromthebestplaces.hta, https://blue-paper-f69f.acrypters.workers.dev/FTM0-40PO-AO28-G98E/img_qiql6d.png
- [IP address] C2 infrastructure hosting the HTA and RAT-related downloads â 144.172.104.196
- [Domain] Remcos RAT C2 server â Guhudeolokghguhumandeylikebroemdfhhfhsjj.duckdns.org:4087
- [File names] Malicious lure and payload files â Smallbackpackcomingfromthebestplaces.Hta, img_qiql6d.Png
Read more: https://asec.ahnlab.com/en/94432/