This blog post was authored by Erika Noerenberg
Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive files containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system and allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs used by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which sells it openly on their website.
Remcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker to trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be distributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily financially-themed; an example email is shown below:
For illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:
|21 Jan||Separate Remittance Advice: paper document no - 9604163||Payment Advice.img||Payment Advice.vbs|
|26 Apr||Appraisal Report for your Loan Application-11003354677341||Appraisal.reportl1100335467734.zip||Appraisal.vbs
|18 May||Fwd: Appraisal Report for your Loan Application-1100788392210||Appraisalreportl1100788392210.zip||Appraisal..vbs|
|28 Jun||Fwd: Reminder: Your July Appointment-11002214991||transaction_completed11003456773311..zip||Report-Slip.vbs|
|6 Jul||Fwd: Reminder: Your July Appointment-11003456773312||transaction_completed11003456773312.zip||Report-11003456773312.vbs|
In most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img) file, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive containing a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos payload.
*Eariler versions also included a "Property.hta" file which only comprised the VB script wrapped in HTML as seen below. Interestingly, the body of this HTML consisted only of the text "demo", which indicates this might have been test code.
Remcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect keystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download and execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results in the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for this variant is shown below:
The samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the infection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution of obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.
Although the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command which downloads and executes a second Visual Basic script:
The first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The $JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this data is shown as decoded in the highlighted box in the image below). This script performs the following actions:
- Creates the directory C:\Users\Public\Run
- Downloads Run_02_02_02.TXT (saved as C:\Users\Public\Run\Run.vbs)
- Downloads Lerveri.txt (saved as Users\Public\Run\-----Run+++++++++.ps1)
- Sets HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup to "C:\Users\Public\Run"
- Sets HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup to "C:\Users\Public\Run"
The shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the "Startup" value of these registry entries to the malware's directory of execution effectively sets the contents of that directory to execute upon system startup, ensuring persistence.
Run.vbs is obfuscated in a similar fashion to the initial Visual Basic script:
This script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded binaries, encoded in hex in plaintext.
One of the binaries encoded in -----Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate Windows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:
Although all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port, no actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website us.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port 8888.
Because this IP address has not changed over several months, we investigated the passive DNS records to see if the infrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over the last few months:
|Address||First Seen||Last Seen|
|shugardaddy.ddns.net||26 May 21||<current as of writing>|
|ch-pool-1194.nvpn.to||24 May 21||30 June 21|
|tippet.duckdns.org||13 May 21||16 May 21|
|mail.swissauto.top||29 May 20||11 May 21|
|randyphoenix.hopto.org||4 April 21||14 April 21|
Examination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is interesting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore, analysis also revealed that the #totalhash malware database contains malware associated with this address going back as far as 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples connecting to the same IP (many to shugardaddy.ddns.net port 5946) - a few recent samples are shown below:
|SHA256 Hash||Date Last Seen|
|15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1||6 Jul 21|
|0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e||5 Jul 21|
|8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a||29 Jun 21|
|22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4||25 Jun 21|
|898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2||25 Jun 21|
|d7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36||21 Jun 21|
One identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to malware campaigns in general, it is unique to the Remcos campaigns we have analyzed - only the VBS method of distribution has been observed to display this behavior.
In an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar infection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary steps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples, Bypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus evasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is a generically available package, or specific to a particular actor and being re-used across campaigns.
Although the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware suggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic capabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is software that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given the consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind these attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections and indicators as needed.
Malwarebytes protects users from Remcos by using real-time protection.
|Type||Name / Subject||SHA256|
|Email Subject||Fwd: Appraisal Report for your Loan Application-1100788392210||673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb09b5b753|
Remcos VB Scripts:
Related Remcos Samples: