Password-protected Excel spreadsheet pushes Remcos RAT
Introduction
I haven't really looked into Remcos RAT lately, but I found an email with a password-protected Excel file attached to it. Further investigation revealed Remcos RAT 3.x activity remarkably similar to an infection chain reported by Fortinet last month. Today's diary reviews a Remcos RAT infection in my lab on Wednesday 2022-05-04.
Shown above: Chain of events from Remcos RAT infection on Wednesday 2022-05-04.
Images from the investigation
Shown above: Screenshot of email used to kick off this infection.
Shown above: Need password from the email to open the attached Excel spreadsheet.
Shown above: Screenshot of the unlocked Excel spreadsheet with a malicious macro for Remcos RAT.
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Alert in Security Onion reveals suspected Remcos RAT traffic on 184.75.221[.]203.
Shown above: First HTTP GET request after enabling macros on the Excel spreadsheet.
Shown above: Script returned from first HTTP request saved to victim's /AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup directory.
Shown above: Script used for this infection obfuscated using binary-based text.
Shown above: More obfuscated script used for this infection.
Shown above: Scroll down in the TCP (or HTTP) stream, and you'll find code with hex characters used to create a malicious DLL.
Shown above: TCP stream of Remcos RAT C2 traffic.
Shown above: Registry updates with license key used for at least one other recent Remcos RAT sample.
Shown above: Dump file for keylogger used for this Remcos RAT infection.
Indicators of Compromise (IOCs)
Associated malware:
SHA256 hash: 9162fbb9481096ce0eab74c748c30a156d35d2adc3526fd2f96d6a4d60e9fc80
- File size: 226,816 bytes
- File name: CNB Payment Advice.xls
- File description: password-protected Excel spreadsheet with macros for Remcos RAT
- Password: 34278
- Any.Run analysis: link
SHA256 hash: c36aea682b6fc9e33c8d272de32b31fd9baf16055e7e8006217d9bef79480a04
- File size: 2,060 bytes
- File location: hxxp://198.12.89[.]134/ADP/EFT.vbs
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\credit.vbs
- File description: VBS file used for Remcos RAT infection
SHA256 hash: 12f26a0678ead6807a30af5f667c5b08288254c0c5ef1ba5817a3330f4445940
- File size: 84,480 bytes
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: DLL file converted from obfuscated script returned from hxxp://198.12.89[.]134/Accounts/Deposits.jpg
- File note: Did not find this saved to disk during the infection, and I don't know how it's run.
Traffic to retrieve file for Remcos RAT infection:
- hxxp://198.12.89[.]134/ADP/EFT.vbs
- hxxp://198.12.89[.]134/Finance/Remittance.txt
- hxxp://198.12.89[.]134/Accounts/Deposits.jpg
Remcos RAT C2 - TLSv1.3 traffic:
- 184.75.221[.]203 port 55026 - saptransmissions.dvrlists[.]com
Note: Shortly before the above C2 traffic, the infected Windows host generated DNS query for google.com and an ICMP ping request & response to the associated IP address.
Keylog directory name: MAYB22
License used for this Remcos RAT sample: FDA2A20782EBD0A0B1004D41F9A29296
Final words
A list of articles and blog posts about Remcos RAT is available on the Malpedia page for Remcos. The list includes an ISC diary in February 2022 by Xavier Mertens.
Malware based on Remcos RAT was first reported in 2017. As 2022 continues, I expect Remcos RAT will continue to be part of our threat landscape.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago