Threats Actors Delivering Remcos RAT Distributed as UUE File


AhnLab Security Intelligence Center (ASEC) has confirmed the accuracy of the Remcos RAT malware being distributed through UUE (UUEncoding) files compressed with Power Archiver.

This sophisticated method of malware distribution has been observed in phishing emails disguised as export/import shipment-related emails or quotations, making it crucial for recipients to exercise caution.

Phishing Email
Phishing Email

UUEncoding: A Method to Bypass Detection

According to Ahnlab reports, Attackers distribute VBS script files encoded using the UUEncoding method through attached files.

UUEncoding, short for Unix-to-Unix Encode, is used for data exchange between Unix systems.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

It encodes binary data into ASCII text format, which can help bypass detection mechanisms.

UUEncoded VBS Script
UUEncoded VBS Script

The structure of the UUE (UUEncoding) file consists of a header (begin), encoded data, and an end (end). When decoded, the obfuscated VBS script is revealed, as shown below.

Obfuscated VBS Script
Obfuscated VBS Script

Downloader: The Path to Infection

The VBS script is executed by saving a PowerShell script in the %Temp% path with the file name Talehmmedes.txt.

This PowerShell script accesses a malicious URL and downloads a file named Haartoppens.Eft to the %AppData% path, and additional PowerShell scripts run.

The additional PowerShell script is also obfuscated to interfere with analysis. Its main function is to load shellcode into the wab.exe process.

The shellcode registers a registry to maintain persistence and loads additional data by accessing another malicious URL. The final malicious code executed is Remcos RAT.

Registry Registration 1
Registry Registration 1

Remcos RAT: The Final Payload

Remcos RAT collects system information through a specific URL, saves keylogging data as mifvghs.dat in the %AppData% path, and transmits it to the Command & Control (C&C) server.

Remcos RAT Settings
Remcos RAT Settings

C&C Server Information

  • frabyst44habvous1.duckdns[.]org:2980:0
  • frabyst44habvous1.duckdns[.]org:2981:1
  • frabyst44habvous2.duckdns[.]org:2980:0

Users should refrain from executing attachments in emails from unknown sources.

If an attachment has been downloaded, avoid executing (allowing) macros.

Ensure that the security settings of document programs are set to a high level to prevent unintended functions from running.

Additionally, it is recommended to update the antivirus engine pattern version to the latest version.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers



Source link