Keypoints
- Initial delivery via a .vhd archive containing a shortcut that runs PowerShell to execute MacOSX.ps1.
- MacOSX.ps1 performs AMSI bypass, schedules tasks, and downloads a PNG (elana.png) from Bitbucket which contains a base64-encoded VBScript.
- The VBScript downloads and decodes further content (from paste.ee and an image URL) to reveal a base64-encoded PE file stored inside an image overlay.
- The extracted binary is a .NET DLL that performs process hollowing by creating a suspended RegAsm.exe process and injecting the Remcos payload using CreateProcess, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread, and ZwUnmapViewOfSection.
- Final Remcos binary decrypts an RC4-encrypted SETTINGS resource to obtain C2 addresses and configuration, sets a RUN registry key for persistence, and creates a mutex.
- Remcos capabilities include keylogging, clipboard capture, audio recording, screenshots at startup, UAC disabling, system & network discovery, and HTTPS-based C2 communication over unusual ports.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The malware is delivered via a .vhd archive with a malicious loader (“…malicious attachments, drive-by downloads, or social engineering…”)
- [T1059] Command and Scripting Interpreter – PowerShell scripts are used to download and execute subsequent stages (“…powershell.exe -ExecutionPolicy Bypass -File “.MacOSX/MacOSX.ps1″”).
- [T1059.001] PowerShell – Explicit use of PowerShell to decode, download, and run payloads (“…decoded VB script, we got a PowerShell script which was encoded with base64.”).
- [T1027] Obfuscated Files or Information – Payloads and scripts are obfuscated/encoded in PNGs and images to evade detection (“…The PNG file is a VB script file base64 encoded…”).
- [T1140] Deobfuscate/Decode Files or Information – Multiple decoding steps (base64, VBScript, image overlays) are performed to obtain executables (“…After decoding the VB script, we got a PowerShell script…”).
- [T1055] Process Injection (Process Hollowing) – The .NET DLL injects the Remcos payload into a suspended RegAsm.exe process using CreateProcess and thread/context APIs (“…injecting the Remcos payload into a newly-created ‘RegAsm.exe’ process”).
- [T1547.001] Registry Run Keys / Startup Folder – Persistence is achieved by setting the RUN registry key (“…It sets the “RUN” registry for the persistence.”).
- [T1056] Input Capture – Keystroke logging is implemented to capture user input (“…designated filename for logging victim keystrokes…”).
- [T1123] Audio Capture – Remcos records audio from the victim microphone (“…Remcos also records the audio input from the victim’s microphone.”).
- [T1113] Screen Capture – The malware captures screenshots of the victim’s screen on startup (“…Capturing screenshots of the victim’s screen upon startup.”).
- [T1115] Clipboard Data – Clipboard contents are collected (“…Capturing data from the clipboard.”).
- [T1071] Application Layer Protocol – Remcos communicates with C2 over HTTPS to exfiltrate data and receive commands (“…Remcos RAT connects with a URL to collect geolocation information.”).
- [T1571] Non-Standard Port – C2 uses non-standard/uncommonly used ports (examples include :2404) (“…lora1.safesopkoco.com:2404”).
- [T1082] System Information Discovery – Remcos collects system information such as Windows version and hostname (“…collects system information such as the Windows version and hostname.”).
- [T1016] System Network Configuration Discovery – Network configuration information is gathered by the malware (“…collects network configuration information.”).
Indicators of Compromise
- [MD5] sample hashes – 8E125841810C306790958A95D6DBEB5, C50DC32F0CABCF7D7B44031031026078, and 1 more hash
- [URLs] staged downloader/distribution – hxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/elana.png, hxxps://uploaddeimagens.com.br/images/004/731/958/original/new_image.jpg?1707143673, and other staging URLs
- [Domains/C2] command-and-control hosts – lora1.safesopkoco.com:2404, masterbotsbrothers.xyz:2404, mota1.masterbotsbrothers.xyz:2404 (multiple related hosts listed)
- [File names] artifacts observed – MacOSX.ps1 (initial script), elana.png (base64 VBScript container), second.ps1 (decoded and saved to %ProgramData%)
The technical chain begins with a .vhd archive containing a Windows shortcut that invokes cmd.exe to run PowerShell with MacOSX.ps1. That script implements an AMSI bypass, schedules tasks, and downloads a PNG (elana.png) from Bitbucket which actually contains a base64-encoded VBScript; the VBScript decodes to another PowerShell layer and fetches additional content from paste.ee and an image URL.
The image downloaded by the VBScript contains an overlayed base64 blob which, when decoded, yields a PE — a .NET DLL. Analysis shows the DLL carries out process hollowing by creating a suspended RegAsm.exe process (from the .NET framework path), unmapping sections, allocating memory in the target, writing the payload, setting thread context, and resuming the thread (CreateProcess with CREATE_SUSPENDED, GetThreadContext, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread).
The injected Remcos binary is a VC8-compiled executable that decrypts an RC4-encrypted SETTINGS resource (first byte = RC4 key size), extracts C2 addresses and configuration, sets a RUN registry value for persistence, creates a mutex, and enables capabilities such as keylogging, clipboard capture, microphone recording, screenshot capture, UAC disabling, system/network discovery, and HTTPS-based C2 communications over non-standard ports. Detection should focus on the multi-stage download/decode chain (PowerShell → PNG/VBScript → base64 image → PE), process hollowing indicators around RegAsm.exe, RC4 resource decryption, and the listed C2 domains/ports.
Read more: https://labs.k7computing.com/index.php/unknown-ttps-of-remcos-rat/