Threat Research

The Latest Remcos RAT Driven By Phishing Campaign | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs analyzes a phishing-driven Remcos RAT campaign that delivers a malicious Excel macro to Windows users, initiating a multi-stage VBS/PowerShell payload chain. The malware uses a decrypted configuration block, process hollowing into RegAsm.exe, and TLS-based C2 with a rich set of remote control commands. #Remcos #Fortinet #FortiGuard #Phishing #ExcelMacro #VBScript #PowerShell #ProcessHollowing #RegAsm #TLS #C2 #Shiesty

Keypoints

  • Phishing email disguises a payment notification and prompts the user to open a password-protected Excel attachment.
  • Macro code in the Excel file extracts VBS (HobYQ.vbs) and then uses dynamic PowerShell to progressively download and execute components (flip.vbs, mem.txt, faze.jpg).
  • Remcos payload is delivered via a .NET DLL and injected into RegAsm.exe using process hollowing.
  • The Remcos configuration block is RC4-encrypted; decryption reveals C2 info, startup flags, and log settings (keylogger, screen capture, etc.).
  • Remcos communicates with its C2 over TLS 1.3, with an initial plaintext packet and subsequent AES-encrypted data, including a 4BH first packet and heartbeat every 40 seconds.
  • Fortinet protections include FortiGuard Web Filtering, Antivirus, FortiEDR, IPS signatures (Remcos.Botnet), and CDR, plus phishing awareness training options.
  • IoCs include multiple URLs and SHA-256 hashes associated with the Excel document and Remcos payload, used in the campaign.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The phishing email disguises as a payment notification and entices the recipient to open a password-protected Excel file. ‘the hacker disguised the phishing email as a payment notification from a trusted bank and asked the recipient to open the attached Excel file that is protected by a password.’
  • [T1059.005] Visual Basic – Macro code in Excel uses a function to extract VBS code and execute it. ‘The macro has a function called “Wookbook_Active()” that is called automatically when it opens. Its task is to extract VBS code from the cells into a file “%AppData%HobYQ.vbs” and then execute it.’
  • [T1059.001] PowerShell – PowerShell is dynamically used to download and run additional components. ‘HobYQ.vbs runs a segment of dynamically spliced PowerShell code to download another VBS file (“flip.vbs”) from the attacker’s server and run it.’
  • [T1055.012] Process Hollowing – Remcos payload is injected into a newly-created RegAsm.exe process. ‘the Remcos payload into a function that injects into RegAsm.exe via Process Hollowing.’
  • [T1140] Deobfuscate/Decode Files or Information – The configuration block is RC4 encrypted and decrypted at runtime. ‘Every Remcos contains an RC4 encrypted configuration block in its PE resource section, named “SETTINGS” … The first thing Remcos does is to decrypt the configuration block.’
  • [T1573] Encrypted Channel – C2 communications use TLS for handshake and authentication. ‘Remcos uses TLS v1.3 protocol to communicate with the C2 server…’
  • [T1113] Screen Capture – Remcos starts screen capture as part of its features. ‘Starting a watchdog program (Remcos’ daemon program)… Capturing victim’s screenshots at startup.’

Indicators of Compromise

  • [URLs] – hxxp://209[.]127[.]19[.]101/flip.vbs, hxxp://209[.]127[.]19[.]101/mem.txt, hxxp://209[.]127[.]19[.]101/faze.jpg, and 11 more URLs (e.g., shiestynerd[.]dvrlists[.]com:10174, mimi44[.]ddns[.]net:2405).
  • [Sample SHA-256] – FBB0575DFD7C1CFE48FB3AA895FBE6C8A554F06899A7152D04CFC39D1D4744AD, 8F6DD0DB9E799393A61D6C9CF6495C164E1B13CB8E6B153B32359D5F07E793D2, and 6 more hashes (total 8 SHA-256s listed in the campaign).
  • [Domains/Hosts] – shiestynerd.dvrlists.com:10174, harveyautos110.ddns.net:2404, harveyautos111.hopto.org:2404, harveyautos112.ddns.net:2404, harvey205.camdvr.org:2404, harvey206.casacam.net:2404, harvey207.accesscam.org:2404.

Read more: https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing