Exploiting Document Templates: Stego-Campaign Deploying Remcos RAT and Agent Tesla – CYFIRMA

Published On : 2024-03-05

Exploiting Document Templates: Stego-Campaign Deploying Remcos RAT and Agent Tesla

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Our research team recently identified a malicious .docx file linked to the stego-campaign, revealing a sophisticated cyber threat.

This campaign utilizes template injection in a Microsoft Office document to bypass traditional email security measures. Upon opening the document, a multi-stage attack is triggered, involving the download and execution of scripts and the deployment of the Remcos Remote Access Trojan (RAT) and malware “Agent Tesla”.

The Remcos RAT grants threat actors’ extensive control, enabling activities such as remote control, keylogging, data theft, screenshot capture, file manipulation, and command execution. Additionally, the attack introduces Agent Tesla, a .NET-based RAT and data theft tool. The report meticulously outlines the entire attack chain, emphasizing the evolving tactics of threat actors.

INTRODUCTION

Our research team analysed the malicious .docx exploiting template injection within a Microsoft Office document, cleverly evading traditional email security measures. Upon opening the document, a multi-stage attack is initiated, involving the download and execution of scripts and the deployment of other set of malwares.

The report explores the complex process where a VB script, leveraging PowerShell, downloads a JPG image concealing a .NET payload encoded in base64 using steganography. The execution of the .NET assembly retrieves the Remcos RAT payload, invoking its malicious operations. Additionally, the analysis uncovers connections to a Command and Control (C2) server for the download and deployment of Agent Tesla.

Following is the control flow of the process:

KEY POINTS

  • The malicious .docx file is possibly distributed through spam or phishing emails. It leverages template injection to bypass email security measures. Opening the document triggers connections to a remote URL.
  • The document contains a seemingly benign table but conceals a targeted approach, possibly directed at “General Electrics, Taiwan.”
  • Next stage downloaded RTF file, leveraging the Equation Editor Vulnerability (CVE-2017-11882), to initiate an attack chain. The RTF document contains embedded malicious code, leading to the download and execution of scripts.
  • Visual Basic and PowerShell scripts are employed to dynamically build and execute URLs, fetch content, and execute retrieved content.
  • The explanation outlines how a VB script, executed through PowerShell, is involved in downloading a JPG image. The JPG image serves as a container for a hidden .NET payload encoded in base64, utilizing steganography. The execution of the .NET assembly is responsible for retrieving the malware payload Remcos RAT. This retrieval involves downloading the malware, injecting it, and invoking its malicious operations.
  • The threat actors exploit legitimate Living Off the Land Binary (LoLBin) binaries, such as “RegAsm” and “WinRm,” to accomplish their malicious objectives.
  • This is a multistage attack involving the download of the next-stage malware from servers and open directories controlled by the threat actor. The process incorporates highly obfuscated scripts and binaries.
  • The final payloads are Remcos RAT and Agent Tesla. Remcos RAT is injected into the legitimate “RegAsm.exe” process, demonstrating sophisticated evasion techniques. While Agent Tesla is downloaded later and executes as child process of “RegAsm.exe”.

ETLM ATTRIBUTION

The Cyfirma research team consistently explores emerging threats, malware, and Tactics, Techniques, and Procedures (TTPs) employed by threat actors. We actively monitor existing threats, track ongoing campaigns, assess their progress, and stay vigilant for any novel developments within this landscape.

Building on these ongoing efforts, we have uncovered a recent malicious .docx file in the wild, associated with the persistent stegno-Campaign that has been active since last year. This campaign earns its name from the utilization of steganography, a technique involving the embedding of malicious code or malware within image files. The objective is the deployment of commodity malware, such as Agent Tesla, Remcos RAT, and XWorm. The attack we’ve identified is complex and multi-staged, encompassing various phases, including downloading, decoding, injection, and execution of additional malicious code, scripts, and binaries to compromise the targeted machine.

After accessing the malicious .docx file, users are redirected to a harmful URL, initiating the next stage of the attack. Simultaneously, the victim is confronted with the following decoy document, concealing the commencement of malicious activities in the background. These activities encompass the download and execution of scripts and malware. The document, seemingly benign, comprises a table featuring project details, buyer information, and payment particulars, with a notable “Confidential” designation. The inclusion of “General Electrics, Taiwan” in the document indicates a potential targeting of GE and its vendors in Taiwan.

The following is the email used to send this malicious document. The malicious.docx file is attached as an attachment. This email body employs a social engineering tactic by masquerading as a legitimate inquiry regarding an order. The sender urges the recipient to open the attached document for confirmation, introducing a malicious payload.

According to the information extracted from the email headers, the originating IP address is identified as “119[.]63[.]80[.]29.” Further analysis through OSINT indicates that this IP address is associated with email spam categorization. The presence of this tag suggests a potential association with unsolicited and unwanted email communication,

We have identified additional instances of similar samples. Notably, the existence of only a limited number of analogous samples is a noteworthy observation. What adds significance to this discovery is the fact that all these samples share a common upload date. This synchronous same date strongly suggests a deliberate and coordinated effort, indicating the possibility that these samples were intentionally sent to their targets on the same day, thus emphasizing an indication that it is possibly a purposeful campaign rather than random activity.

By consistently monitoring emerging threats, malware, and Tactics, Techniques, and Procedures (TTPs) employed by threat actors, the team identified malicious .docx file linked to this ongoing campaign. The utilization of steganography in embedding malicious code within image files underscores the adversary’s commitment to evading traditional security measures.

The multistage attack, involving template injection, VB scripts, PowerShell, and exploitation of legitimate binaries like “RegAsm” and “WinRm,” reflects a high level of sophistication. The presence of well-known malware such as Remcos RAT and Agent Tesla, coupled with the strategic mentioning of an entity in Taiwan, points to a campaign orchestrated with purpose.

This recognition highlights the commitment of the Cyfirma Research team to diligently anticipate and scrutinize emerging cyber threats, providing invaluable insights to fortify the resilience of the cybersecurity landscape.

ANALYSIS

Basic Details:
MD5: 7e9afffcd5105a119308bc5e1289fda4
SHA256: 29325e23a684f782db14a1bf0dc56c65228e666d1f561808413a735000de3515
File Type: MS Office Open XML Document (DOCX)

When a Microsoft document file, such as a docx, is opened, Microsoft Office typically loads a default template. However, it’s easy to define or modify a template by updating a setting. This presents an opportunity for malicious actors to weaponize a seemingly benign document for phishing campaigns. They can achieve this by sending a seemingly harmless Microsoft document file that references a remote malicious template. This template is only fetched and loaded when the decoy file is opened, allowing it to effectively bypass existing email security measures.

The threat actor in this case employs the same technique known as template injection. The manipulated setting instructs winword.exe to access a specific target (in this case, “http[:]//someofthelovercantbuyhappinessfromthe@shtu[.]be/5f0848”) when the victim opens the document.

Upon opening the document, it connects to the URL specified above, defined as the target in the document and displays the decoy document to the victim.

The malware authors use an online URL shortener service for resolving the final address.

It further downloads an RTF file with the name “mydearcutieireallyloveryoualwaysforgreatthingshappenedinsideofusforloverstogetreadyforthepointounderstandtheupdationforproccess.doc” by connecting to URL “http[:]//107[.]173[.]4[.]15/gbn/mydearcutieireallyloveryoualwaysforgreatthingshappenedinsideofusforloverstogetreadyforthepointounderstandtheupdationforproccess.doc”. The order of redirection is as follows:

  • “http[:]//shut[.]be/5f0848”
  • “http[:]//107[.]173[.]4[.]15/gbn/mydearcutieireallyloveryou”
  • “http[:]//107[.]173[.]4[.]15/gbn/mydearcutieireallyloveryoualwaysforgreatthingshappenedinsideofusforloverstogetreadyforthepointounderstandtheupdationforproccess[.]doc

The RTF document has embedded malicious code. It Leverages the Equation Editor Vulnerability (CVE-2017-11882) to trigger the download of the subsequent payloads in the attack chain.

The process utilizes the legitimate executable “EQNEDT32.EXE” to initiate the execution of malicious shellcode. The purpose is to download VB script file from the specified URL and execute.

Further, the command “C:WindowsSystem32WScript.exe” “C:UsersUsernameAppDataRoamingmodernlover.vbs” invokes the Windows Script Host to execute the malicious VBScript file “modernlover.vbs”.

This script dynamically builds the URL “https[:]//paste[.]ee/d/amGOG”, fetch content from that URL, and then execute the retrieved content using ExecuteGlobal.

The URL https[:]//paste[.]ee/d/amGOG fetches the following highly obfuscated code, which is the actual code for VB script which on running decode, creates another string “$codigo” and runs it through powershell command.

The above obfuscated code is decoded into a powershell command, the command for execution is stored in variable “$codigo”, which is also obfuscated. We further decoded it, and the result is the powershell script, which gets executed.

The script downloads data from random URLs, looks for a base64-encoded command in the downloaded data, decodes and executes it.

The code takes an array of URLs as input:

  • “https[:]//uploaddeimagens[.]com[.]br/images/007826222”,
  • “http[:]//45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg?1707826222”,
  • “http[:]//45[.]74/xampp/bkp/vbs_novo_new_image[.]jpg”

It creates a WebClient object to download data from URLs. It shuffles and downloads data from the random URL. If data is successfully downloaded, it converts the byte data to a UTF-8 encoded string ($imageText). It searches for a base64-encoded command between specified start and end flags in the downloaded data. If a valid base64 command is found, it decodes it, loads it as an assembly, and invokes a specific method (‘VAI’).

In our case, the script retrieved data in the form of a JPG image file from the specified URL, “http[:]//45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg?1707826222”.

Within the JPG file content, malicious .NET code is concealed and encoded in Base64 format, placed between the markers <<BASE64_START>> and <<BASE64_END>>.

We decoded the content and identified it as a .NET DLL.

The binary is 32-bit .NET DLL file having console subsystem. The compiler stamp is as recent as of Feb-24 and named as “PROJETOAUTOMACAO.VB1.dll”.

As specified above the powershell script loads the .NET assembly, invokes the method (‘VAI’) and also passes arguments to it. The script dynamically loads this assembly into memory. The loaded assembly contains a static method called VAI, the VAI method is invoked with the number of parameters, including URL “http[:]//107[.]173[.]4[.]15/35005/HZA.txt” to download next stage payload Remocs RAT and the file name “RegAsm” to inject with this malicious payload.

The VAI method downloads content/file with name “HZA.txt” from a reversed URL “txt[.]AZH/50053/51[.]4[.]371[.]701//:ptth,” which is provided as a parameter, which is later resolved and in actual is “http[:]//107[.]173[.]4[.]15/35005/HZA.txt”.

The downloaded content undergoes a decoding process involving both reversal and Base64 decoding. Upon decoding, it reveals the presence of the Remcos Remote Access Trojan (RAT) as the ultimate payload.

This payload is then injected into the legitimate “RegAsm.exe” process, showcasing a sophisticated evasion technique employed by malicious actors.

The Start method leverages HZA.vbs, which is the legitimate Windows “winrm.vbs” LOLBin (Living Off the Land Binary). The method first checks whether the HZA.vbs file exists in the specified directory, “C:ProgramData.” If the file is not present in this location, the method initiates a concealed PowerShell process to copy the vbs file to the designated destination.

Subsequently, the method updates the registry key value under “SOFTWAREMicrosoftWindowsCurrentVersionRun” to reference the newly created HZA.vbs file. This tactic is commonly employed by malware for persistence, ensuring that the script is executed during the startup process of the system.

LOLBins (short for “Living Off the Land Binaries”) are legitimated Microsoft-signed binaries that threat actors can abuse for malicious purposes. Threat actors abuse WinRM for various malicious activities, including lateral movement, code execution, privilege escalation, and achieving persistence on compromised systems.

The final payload is the Remcos RAT 32 -bit executable. The configuration data has been retrieved from the binary. As indicated below, the configuration is stored in the resource section of the binary, under the name “SETTINGS,” mirroring the approach observed in prior versions of the Remcos RAT. The configuration data is encrypted using the RC4 algorithm.

The initial byte indicates the length of the key, represented as “3B” in hexadecimal (highlighted in red) decoded to “59” in decimal. This signifies that the subsequent 59 bytes constitute the key (highlighted in yellow). The encrypted configuration data is denoted by the code highlighted in black.

Upon extraction, the configuration data from the binary gives us following details (highlighted in below screenshot):

  • C2: sembe.duckdns.org
  • Botnet Name: RemoteHost
  • File name: Remcos.exe
  • Logs Folder name: notees
  • Identifier/Mutex: Rmc-P0AEMX
  • Log File: logs.dat

It generates a mutex using the name “Rmc-P0AEMX” to ensure that multiple instances are not executed simultaneously.

It generates a log file named “logs.dat” to facilitate keylogging. Located at ” C:UsersUsername1AppDataRoamingnotesslogs.dat” this file records all activities, including keystrokes and data copied to the clipboard.

Remcos RAT established connection with IP “178.237.33.50” to collect geolocation information. The IP belongs to geoplugin[.]net which provides geolocation information based on source IP and various malware used it.

Moreover, it establishes a TCP connection to the IP address “194[.]187[.]251[.]115” to retrieve the additional stealer “Agent Tesla”.

The execution of “Agent Tesla” takes place within the “C:UsersUsername1AppDataLocalTemp” directory and operates as a subprocess of “RegAsm.exe” with name “New1.exe”.

The Remcos RAT is a sophisticated tool with versatile capabilities, enabling threat actors to remotely control victim computers, perform keylogging, steal data, capture screenshots, manipulate files, and execute commands. Its broad range of functionalities underscores its potential for compromising user privacy, exfiltrating sensitive data, and orchestrating system manipulations. Initially introduced as commercially available malware in 2016, the Remcos RAT has since been repurposed as a malicious instrument, exploited by threat actors across various campaigns for unauthorized access and malicious activities.

The Agent Tesla identified is a .NET 32-bit binary with a GUI subsystem.

Agent Tesla, is a .Net-based Remote Access Trojan (RAT) and data theft tool, normally serving as a means to obtain initial access, commonly utilized within the Malware-As-A-Service (MaaS) framework. In this model, initial access brokers (IAB), possessing expertise in exploiting corporate networks, collaborate with criminal groups. Functioning as a primary-stage malware, Agent Tesla enables remote access to compromised systems, facilitating the download of advanced second-stage tools, such as ransomware.

CONCLUSION

The research reveals a sophisticated cyber threat orchestrated through a stego-campaign, involving the deployment of a malicious .docx file. The attackers utilize template injection to bypass traditional email security measures, leading to a multi-stage attack. This attack includes the download and execution of scripts, introducing the Remcos Remote Access Trojan (RAT) and the Agent Tesla malware.

The Remcos RAT grants extensive control, enabling various malicious activities, while Agent Tesla serves as a data theft tool. The attack chain incorporates techniques such as template injection, Living Off the Land Binaries (LOLBins) abuse, and steganography. Notably, the threat actors demonstrate evasion tactics by injecting the Remcos RAT into the legitimate “RegAsm.exe” process. The campaign showcases an adept understanding of obfuscation techniques and dynamic script execution. Overall, this report underscores the complex and multi-stage tactics of threat actors and the importance of proactive cybersecurity measures to counter such advanced threats.

LIST OF IOCS

Sr No. Indicator Type Remarks
1 7E9AFFFCD5105A119308BC5E1289FDA4 MD5 File Hash Sample .docx File
2 65efdcbd4bc64e6e48d82bfa31f710fd MD5 File Hash .doc RTF File
3 ce91eb459e4f6a9e2871088d855cd211 MD5 File Hash .NET (PROJETOAUTOMACAO.VB1.dll) File
4 b1db2292ba6cdddc3237f97f0ee0324f MD5 File Hash Remcos RAT
5 ddb09774c5a870c73cf0cf71e6d97d3e MD5 File Hash JPG (vbs_novo_new_image.jpg) File
6 853c04a0494a2256e063583a4aab465b MD5 File Hash HZA.txt
7 85CBF9B1A0E3D8FDA14A86535E0692D9 MD5 File Hash HZA.vbs
8 9696B0F6AB7EAA2C312EEEB67B0E5F70 MD5 File Hash modernlover.vbs
9 E765E253ADA44CC90DF9E196DF0D1EF1 MD5 File Hash amGOG
10 85259BC31DECE470AF6778BD27F30488 MD5 File Hash New1.exe (Agent Tesla)
11 2672a881a5374e507c3ca3a152617c21 MD5 File Hash Similar Malicious .docx File
12 7ed7dfb7e823a6eb10591d86a2d25222 MD5 File Hash Similar Malicious .docx File
13 e85e113f938d9f64de952308c0ad8333 MD5 File Hash Similar Malicious .docx File
14 5f8d4be7bb31e0177d29df6f65abe6fc MD5 File Hash Outlook Email .msg File
15 http[:]//shut[.]be/5f0848 URL  
16 http[:]//someofthelovercantbuyhappinessfromthe@shtu[.]be/5f0848 URL  
17 http[:]//107[.]173[.]4[.]15/35005/modernlover[.]vbs URL  
18 http[:]//45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg URL  
19 https[:]//uploaddeimagens[.]com[.]br/images/004/739/227/original/new_image[.]jpg?1707826222 URL  
20 http[:]//107[.]173[.]4[.]15/35005/HZA.txt URL  
21 https[:]//paste[.]ee/d/amGOG URL  
22 107[.]173[.]4[.]15 IP  
23 45[.]74[.]19[.]84 IP  
24 115[.]251[.]187[.]194 IP  
25 178[.]237[.]33[.]50 IP  

MITRE ATT&CK TTPs

No. Tactic Technique
1 Initial Access (TA0001) T1566: Phishing
T1566.001: Spear phishing Attachment
2 Execution (TA0002) T1204: User Execution
T1059.001: PowerShell
    T1059.005: Visual Basic
3 Persistence (TA0003) T1547.001: Registry Run Keys/ Startup Folder
4 Defense Evasion (TA0005) T1211: Exploitation for Defense Evasion
T564.003: Hidden Window
T1055: Process Injection
T1027: Obfuscated Files or Information
5 Discovery (TA0007) T1057: Process Discovery
T1082: System Information Discovery
T1614: System Location Discovery
T1217: Browser Information Discovery
6 Collection (TA0009) T1115: Clipboard Data
T1056.001: Keylogging
T1113: Screen Capture
T1005: Data from Local System
7 Exfiltration (TA0010) T1041 – Exfiltration Over Command-and-Control Channel
8 Command and Control (TA0011) T1001.0012: Steganography
T1071: Application Layer Protocol

RECOMMENDATIONS

  • Deploy robust endpoint security solutions with advanced threat detection and prevention mechanisms to effectively identify and neutralize malicious activities.
  • Employ reputable antivirus and anti-malware software capable of promptly detecting and removing malicious payloads to enhance overall system security.
  • Ensure regular updates for operating systems, applications, and security software to address known vulnerabilities frequently exploited by threat actors.
  • Implement network segmentation to limit lateral movement, preventing malware from accessing critical assets and containing potential threats.
  • Conduct thorough employee training on phishing threats, emphasizing the dangers of opening attachments or clicking on links in unsolicited emails.
  • Educate employees to recognize social engineering tactics, empowering them to avoid falling victim to deceptive tricks that could lead to the execution of malicious files.
  • Configure firewalls to block outbound communication with known malicious IP addresses and domains linked to command-and-control servers.
  • Implement behaviour-based monitoring to detect unusual activity patterns, including suspicious processes attempting unauthorized network connections.
  • Enforce application whitelisting policies to permit only approved applications, preventing the execution of unauthorized or malicious executables.
  • Monitor network traffic for anomalous patterns, such as large data transfers to unfamiliar or suspicious IP addresses, indicating potential threats.
  • Create a comprehensive incident response plan outlining necessary steps in case of malware infection, including isolating affected systems and promptly notifying relevant stakeholders.
  • Stay informed with the latest threat intelligence reports and indicators of compromise related to malware to proactively identify and mitigate potential threats.
  • Implement regular backups of critical data and systems to minimize the impact of ransomware attacks or data loss due to malware infections.
  • Follow the principle of least privilege (PoLP) by restricting user permissions to those required for specific roles, limiting the impact of malware relying on elevated privileges.
  • Build and implement safeguarding measures by monitoring/blocking Indicators of Compromise (IOCs) and enhancing defense based on tactical intelligence and provided rules.

Source: https://www.cyfirma.com/outofband/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/