Efficiently Distributing RemcosRAT Through Steganography

MITRE Techniques

• [T1566.001] Spear Phishing Attachment – Attacks begin with a Word document that likely appears legitimate to the victim but contains malicious elements. This is indicative of a spear phishing attack using a document as the vector. ‘The attack begins with a Word document that likely appears legitimate to the victim but contains malicious elements. This is indicative of a spear phishing attack using a document as the vector.’
• [T1221] Template Injection – The initial Word document employs template injection, which manipulates document templates to execute malicious code when the document is opened. ‘The initial Word document employs template injection, which manipulates document templates to execute malicious code when the document is opened.’
• [T1203] Exploitation for Client Execution – An RTF file is then downloaded and executed, exploiting a vulnerability in the equation editor component of Microsoft Word (EQNEDT32.EXE), leading to code execution. ‘An RTF file is then downloaded and executed, exploiting a vulnerability in the equation editor component of Microsoft Word (EQNEDT32.EXE), leading to code execution.’
• [T1496] Resource Hijacking – The RTF file downloads a VBScript masquerading as a “.jpg” file from a command and control (C2) server, indicating the use of file name deception to hide malicious scripts. ‘The RTF file downloads a VBScript masquerading as a “.jpg” file from a command and control (C2) server, indicating the use of file name deception to hide malicious scripts.’
• [T1567.002] Use of Paste Sites for Staging – Another VBScript is downloaded from “paste.ee,” a text sharing service similar to Pastebin, used here for hosting malicious code. ‘Another VBScript is downloaded from “paste.ee,” a text sharing service similar to Pastebin, used here for hosting malicious code.’
• [T1027] Obfuscated Files or Information – The VBScript is heavily obfuscated with special characters to evade detection. ‘The VBScript is heavily obfuscated with special characters to evade detection.’
• [T1059.001] PowerShell – The obfuscated script executes a PowerShell script, which is a common scripting language used by attackers for its powerful capabilities and availability on Windows systems. ‘The obfuscated script executes a PowerShell script, which is a common scripting language used by attackers for its powerful capabilities and availability on Windows systems.’
• [T1027.003] Steganography – The PowerShell script downloads an image containing hidden data encoded in Base64, using steganography to conceal the payload. ‘The PowerShell script downloads an image containing hidden data encoded in Base64, using steganography to conceal the payload.’
• [T1620] Reflective Code Loading – The PowerShell script then uses reflective code loading to execute a .NET DLL file directly from memory, avoiding traditional file-based execution. ‘The decoded data is “.NET DLL” which is given 6 arguments and executed through reflective code loading.’
• [T1055.012] Process Hollowing – RemcosRAT, the final payload, is executed using the process hollowing technique, where a legitimate process (RegAsm.exe) is started in a suspended state, its memory is replaced with malicious code, and then resumed to execute the malware. ‘RemcosRAT, the final payload, is executed using the process hollowing technique, where a legitimate process (RegAsm.exe) is started in a suspended state, its memory is replaced with malicious code, and then resumed to execute the malware.’
• [T1071] Command and Control – Throughout the attack, multiple files are downloaded from a C2 server, indicating ongoing communication with an attacker-controlled server. ‘Throughout the attack, multiple files are downloaded from a C2 server, indicating ongoing communication with an attacker-controlled server.’