Threat Research

GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT

Securonix

An analysis of a loader-based infection culminating in Remcos RAT activity, delivered through a phishing email that leads to a password-protected ZIP containing a VBScript and a Windows shortcut. The writeup traces the infection chain—from the email, through the ZIP, to persistence via registry updates and C2 traffic with Remcos. #GuLoader #ModiLoader #DBatLoader #Remcos #RemcosRAT #VBScript #PowerShell

Keypoints

  • The infection begins with a phishing email (and a PDF) that points to a malicious ZIP archive hosted on an Adobe page.
  • The ZIP is password-protected and contains a decoy audio file plus a malicious Windows shortcut that triggers the infection chain.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – ‘The email and the attached PDF document have the same link for a malicious zip archive’.
  • [T1105] Ingress Tool Transfer – ‘URL that returned the zip archive’ to obtain the initial payload.
  • [T1027] Obfuscated/Compressed Files and Information – ‘password-protected zip archive on Adobe-hosted page’.
  • [T1059.005] Visual Basic – ‘VBS file with PowerShell script used for this infection’.
  • [T1059.001] PowerShell – ‘PowerShell script used for this infection’.
  • [T1112] Modify Registry – ‘Windows registry updates that made the loader persistent on the infected host’.
  • [T1071.001] Web Protocols – ‘Remcos RAT traffic: TLSv1.3 HTTPS traffic’.

Indicators of Compromise

  • [IP Address] Email delivery sources – 23.106.121.131, 103.1.151.84 (from email headers).
  • [Domain] gbwhotel.com.my – From: ar@gbwhotel[.]com[.]my in the email headers.
  • [SHA256] 29c766c8910fa35b76bdea7738e32f51fc063bc01e8f557c1f309a4b07c47733, 1d030984aa406ff1a05c1d42e67455b79665d50ea98f49713b1fd21887b7b2eb, 748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5 (and 2 more hashes).
  • [File name] RFQ No 41 26_06_2023.pdf; RFQ No 41 26_06_2023.zip; RFQ No 41 26_06_2023.pdf.lnk (from the infection artifacts).
  • [URL] hxxps://acrobat.adobe[.]com/id/urn:aaid:sc:VA6C2:57c88930-644f-4131-94c6-bee1152af5ab (URL that returned the zip archive).
  • [URL] hxxps://shorturl[.]at/guDHW (Redirect from the ZIP chain to the VBScript and artifacts).
  • [Domain] top1.banifabused1.xyz (Remcos C2 server in the infection chain).
  • [IP Address] 194.55.224.183 (GuLoader- or ModiLoader-style traffic to retrieve Persuasive.inf).
  • [IP Address] 194.187.251.91 (Remcos RAT C2 traffic).

Read more: https://isc.sans.edu/diary/rss/29990