Threat Research

Guarding Against the Unseen: Investigating a Stealthy Remcos Malware Attack on Colombian Firms – Check Point Research

Securonix

Check Point researchers uncovered a large-scale phishing campaign in Colombia targeting 40+ firms to covertly plant the Remcos RAT. The attackers use heavily obfuscated archives, PowerShell, and memory-only loading (via reflective loading with LoadPE) to gain full control while evading defenses. #Remcos #LoadPE #ReflectiveLoading #AmsiBypass #Unhooking #Colombia

Keypoints

  • Targeted a broad set of Colombian companies across multiple industries.
  • Primary objective: install Remcos malware for full remote control and data access.
  • Phishing emails included archives (ZIP/RAR/TGZ) with enticing content to lure recipients.
  • The archive carries a highly obfuscated BAT file that launches heavily obfuscated PowerShell commands.
  • Two .NET modules operate in memory: one for evasion/unhooking and one for loading Remcos via reflective loading (LoadPE).
  • Remcos is loaded in memory (reflective loading) to avoid disk presence and detection.
  • Defensive evasion includes unhooking kernel32.dll/ntdll.dll and patching AMSI/EtwEventWrite to return errors.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – “The phishing email contains an attachment that appears to be a harmless archive file, such as ZIP, RAR or TGZ.”
  • [T1027] Obfuscated/Compressed Files and Information – “The archive file contains a highly obfuscated Batch (BAT) file. Upon execution, the BAT file runs PowerShell commands which are also heavily obfuscated.”
  • [T1059.001] PowerShell – “the BAT file runs PowerShell commands which are also heavily obfuscated.”
  • [T1620] Reflective Code Loading – “reflective loading…LoadPE…Remcos malware directly into memory…without the need for it to be stored on the disk.”
  • [T1562.001] Impair Defenses – “Unhooking any security mechanisms present… patching the amsi.dll AmsiScanBuffer function to return ‘The parameter is incorrect’ code (0x80070057) and patching EtwEventWrite.”

Indicators of Compromise

  • [IP Address] C2 channel – 192.161.184.21
  • [SHA-1] BAT IOC – dbc8cd0d565c9fa45a0f0ce030f609cfbc8dcc49, 747c2466b4f4b5024f321a07fca597824d2483f8 and 2 more hashes
  • [SHA-1] BAT IOC – 3903cd20c6e72582f0ce3457a8964c6d9bc7496d and 2 more hashes
  • [SHA-1] BAT IOC – 091a54d15376e86860ed52f3dcb5d3ded457e669 and 2 more hashes
  • [SHA-1] RAR IOC – ef1cc1750f5f580aa9338b8c5c5125cfd8406f7b and 2 more hashes
  • [SHA-1] RAR IOC – 06c4ae8f298943340466a5dd1a6d44491349dc89 and 2 more hashes

Read more: https://research.checkpoint.com/2023/guarding-against-the-unseen-investigating-a-stealthy-remcos-malware-attack-on-colombian-firms/