Threat Research

URL shortener in a Microsoft Word file that leads to Remcos RAT

Securonix

An email delivers a weaponized Word document that uses a shortened URL to redirect to an Equation Editor–related file, triggering vulnerabilities to install a Remcos RAT payload. The dropper then employs obfuscated VBScript and PowerShell, steganography, and reverse Base64 encoding to fetch the malicious binary, with activity linked to Lazarus’ Deathnote cluster and duckDNS–based C2 infrastructure. #Remcos #Lazarus

Keypoints

  • Delivery starts with a spearphishing attachment (.docx) designed to deceive the recipient.
  • The Word document leverages CVE-2017-0199 to trigger a remote download attempt from a malicious server.
  • A shortened URL redirects to an RTF/file chain that exploits CVE-2017-11882 (Equation Editor) to download a VBScript payload.
  • The VBScript is highly obfuscated, building a long concatenated string that decodes into PowerShell code.
  • The PowerShell component uses steganography and reverse Base64 strings to reconstruct and drop a malicious binary (Remcos RAT).
  • Network activity includes C2 communications to an IP (94.156.66.67:2409) and multiple duckDNS domains, with attribution linked to the Lazarus/Deathnote cluster.
  • IoCs include several file hashes, the docx/RTF hashes, email envelopes, and several URLs and domains used in the chain.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “An email includes a .docx attachment designed to deceive the recipient.”
  • [T1203] Exploitation for Client Execution – “The docx contains a CVE-2017-0199 vulnerability. Upon exploiting the vulnerability, it tries to make a connection with a remote server to download a malicious file.”
  • [T1059.005] Visual Basic – “VB script deobfuscates to a PowerShell code that tries to download a malicious binary via a steganographic image and reverse Base64 encoded strings.”
  • [T1027] Obfuscated/Compressed Files and Information – “long sequence of concatenated variables and strings, likely encoded or obfuscated.”
  • [T1059.001] PowerShell – “PowerShell code that downloads a malicious binary.”
  • [T1027] Steganography – “steganographic image to deliver/download payload.”
  • [T1071.001] Web Protocols – “C2 communication to IP 94.156.66.67:2409 and duckDNS domains.”

Indicators of Compromise

  • [Email Addresses] Envelop senders – [email protected], [email protected], [email protected], [email protected]
  • [File Hashes] – f1d760423da2245150a931371af474dda519b6c9 (FAKTURA.docx), 539deaf1e61fb54fb998c54ca5791d2d4b83b58c (RTF), 83505673169efb06ab3b99d525ce51b126bd2009 (Remcos binary)
  • [URLs] – hxxp://ilang.in/QNkGv, hxxps://paste.ee/d/HdLtf, and the shortened URL context for the initial redirect
  • [IP Addresses] – 94.156.66.67:2409
  • [Domains] – newsat.duckdns.org, belgom.duckdns.org, fordede.duckdns.org, logili.duckdns.org
  • [File Names] – FAKTURA.docx

Read more: https://www.forcepoint.com/blog/x-labs/url-shortener-microsoft-word-remcos-rat-trojan