Steganographic Campaign Distributes Multiple Malware Variants, Including Remcos and AsyncRAT

A new report by Seqrite has uncovered an ongoing steganographic campaign that is being used to distribute a variety of malware, including the Remcos RAT and AsyncRAT. The campaign, which has been observed distributing multiple stealer malware such as Remcos, DCRAT, Agent Tesla, and VIPKeyLogger, employs a sophisticated attack chain to deliver its malicious payloads.

The infection chain begins with a phishing email containing a malicious Excel document. This document exploits a vulnerability (CVE-2017-0199) to issue an HTTP request, downloading an HTA file. The HTA file contains VBScript code that writes a batch file. This batch file then connects to a paste URL to download another obfuscated VBScript.

The downloaded VBScript retrieves a JPG file that conceals a base64-encoded second-stage payload, which is a malicious loader. The loader, upon execution, receives a URL and a target process name as arguments. It then downloads a reversed base64-encoded file. Decoding this file reveals the final payload. Seqrite’s report highlights that “What makes the campaign interesting is the way the attack is orchestrated”.

Seqrite’s analysis details the distribution of Remcos and AsyncRAT through this campaign.

• Remcos:

  The final payload in some cases is Remcos, a well-known remote access tool. Remcos has been used in the malware world since 2016 and is known for its command-and-control capabilities.

  The report states that “Remcos has always been around the malware world since its inception in 2016. From version as early as 1.0 to the most recent one, what keeps Remcos still relevant is in handling its core capability of command and control”.

  Remcos typically has an encrypted setting block with configurations saved in the Resource section. This setting block is decrypted to initialize Remcos. In some instances, Remcos has been observed deploying additional malware, such as AgentTesla.

• AsyncRAT:

  AsyncRAT, another remote access Trojan written in C#, is also distributed through this campaign. AsyncRAT offers standard RAT and information-stealing features, including keylogging, additional payload execution/injection, and command-and-control capabilities.

  The execution of AsyncRAT begins with a “De_lay” function, likely used to evade sandboxes. The “InitializeSettings()” function accesses the hardcoded, AES-encrypted configuration. A “verifyhash()” function checks the validity of the configurations using the server certificate and signature.

  The Pastebin value in the configuration is used by the “WebClient.DownloadString” API to download additional resources and payloads. If the Pastebin value is null, AsyncRAT uses the hosts and port from the configuration and employs a socket connection to interact with the C2 server.

Both Remcos and AsyncRAT are delivered using steganography, where the malicious code is concealed within seemingly harmless JPG files. The malware checks for specific markers within the JPG file to extract the base64-encoded data.

The report also notes the use of obfuscation techniques. The DLL files used in the attack chain are obfuscated, with varying levels of obfuscation observed between the Remcos and AsyncRAT samples. Despite the obfuscation, the core functionality of the DLLs remains the same.

The final stage of the attack involves process hollowing. The report details that: “This function does the process hollowing with the targeted process which is being supplied as fifth argument”.

A new process is created in a suspended state, unmapped, and memory is allocated for the malicious code. The code is injected, the entry point is set, and the process is resumed.

Organizations are advised to implement robust email filtering, disable execution of macros in documents, and monitor network traffic for unusual connections to known C2 domains.

Related Posts:

• Remcos RAT: Hackers Target Ukrainian Government with Surveillance Tool
• Tax Extension Malware Campaign Exploits Trusted GitHub Repositories to Deliver Remcos RAT
• Beware of Word: Remcos RAT Lurks in Malicious Documents
• Researcher Uncovers New Phishing Campaign Deploying Remcos RAT with Advanced Evasion Techniques