Keypoints
- Attackers exploited vulnerable SQL Servers to persistently deploy the first-stage Remcos RAT and probe web-accessible paths for execution.
- Initial download attempts used multiple URLs and saved payloads to %TEMP% paths (e.g., tzt.exe) and executed via %TEMP%updt.ps1.
- When standard payloads were blocked, actors switched to FUD packers that wrap binaries in batch files and decode/load via PowerShell (BatCloak-like behavior).
- PowerShell-based loaders relied on LOLBins/legitimate binaries for execution and were hard-coded to SysWOW64 PowerShell, favoring 64-bit execution paths.
- Post-exploitation included Metasploit (Meterpreter) activity to query/add local accounts and deploy tools like GMER, IObit Unlocker, and PowerTool before dropping TargetCompany ransomware.
- The TargetCompany variant observed belongs to the second version and reaches out to a C2 with a “/ap.php” landing page; confirmed Remcos samples were also found in public repositories.
- FUD packers limit detection by conventional solutions; early behavioral detection, ML/AI file inspection, and layered defenses are recommended.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited vulnerable SQL servers to deploy the first stage (‘exploitation of vulnerable SQL servers to persistently deploy its first stage.’)
- [T1505] Server Software Component – Use of web-accessible paths/URLs to drop and execute Remcos indicated server-side component abuse (‘The routine tries various directions to attempt persistence, such as changing up the URLs or applicable paths until it successfully finds an area to execute the Remcos RAT.’)
- [T1105] Ingress Tool Transfer – Downloading Remcos and other payloads from remote HTTP URLs into %TEMP% (e.g., ‘_hxxp://80.66.75[.]37/drtse.exe’ dropped to ‘%TEMP%tzt.exe’).
- [T1027.006] Software Packing – Use of fully undetectable (FUD) packers that wrap payloads in batch files and decode/load them to evade detection (‘Using a batch file as an outer layer and afterward, decoding and loading using PowerShell to make a LOLBins execution.’)
- [T1059.001] PowerShell – Loaders decode and execute payloads via powershell.exe to run Remcos and the ransomware (‘PowerShell execution of the Remcos RAT…’).
- [T1218] Signed Binary Proxy Execution / LOLBins – Use of legitimate system binaries as execution proxies to load decoded payloads (‘decoding and loading using PowerShell to make a LOLBins execution.’)
- [T1136.001] Create Local Account – Metasploit usage to query/add local accounts as part of post-exploitation (‘Query/Add a local account’).
- [T1071.001] Application Layer Protocol: Web Protocols – TargetCompany ransomware communicates with C2 using HTTP web path ‘/ap.php’ (‘connection to a command-and-control (C&C) server with a “/ap.php” landing page.’)
Indicators of Compromise
- [IP / URL] download hosts used to deliver Remcos and loaders – 80.66.75.37 (e.g., _hxxp://80.66.75[.]37/drtse.exe), 185.209.230.21:8080 (e.g., _hxxp://185.209.230[.]21:8080/Auptxums.bat)
- [File paths / names] temporary drop and execution artifacts – %TEMP%tzt.exe, %TEMP%updt.ps1, %TEMP%Auptxums.bat (used to execute and decode payloads)
- [Filenames] observed payload/drop names – drtse.exe, lighting.exe, Ayhhny.exe, Bwarp.exe (download attempts listed in sample table)
- [C2 / HTTP path] ransomware C2 landing page pattern – ‘/ap.php’ (used by TargetCompany variant for C2 communication)
- [Repository/sample note] verified Remcos public sample – a Remcos sample with zero detections was found on public repositories (and other hashes available in linked IOC file)
Attack sequence (technical rewrite)
Actors initially exploit public-facing SQL Server instances to achieve persistent footholds and probe multiple web-accessible paths until a writable/ executable location is found to drop the first-stage Remcos payload. Download attempts repeatedly fetched executables and batch files from remote HTTP hosts (examples: 80.66.75.37 and 185.209.230.21:8080) into %TEMP% (e.g., tzt.exe) and attempted execution via a helper PowerShell script (%TEMP%updt.ps1); one batch (Auptxums.bat) succeeded in dropping and executing Remcos when previous direct EXE deliveries were blocked.
When standard payloads were detected/terminated, operators wrapped binaries in FUD packers resembling BatCloak: a batch-file outer layer that writes and decodes an embedded payload, then invokes powershell.exe to decode/load the payload using living-off-the-land binaries (LOLBins). These loaders were hard-coded to use the SysWOW64 PowerShell path, favoring 64‑bit execution. After Remcos establishes access, operators used Metasploit/Meterpreter modules for post-exploitation tasks (query/add local accounts, deploy GMER, IObit Unlocker, PowerTool), and Remcos subsequently fetched and launched a second-stage TargetCompany ransomware binary that communicates with its C2 using an ‘/ap.php’ landing page.
The loaders for Remcos and TargetCompany differed from AsyncRAT loaders by performing only decompression (not decryption) and by altering command-line structure to evade signature detection; the repeated use of FUD packers and PowerShell-based batch loaders enables these attackers to bypass many signature-based controls, emphasizing the need for behavior-based detection, ML/AI file inspection, and layered network controls.