AhnLab Security Intelligence Center (ASEC) has confirmed the accuracy of the Remcos RAT malware being distributed through UUE (UUEncoding) files compressed with Power Archiver.
This sophisticated method of malware distribution has been observed in phishing emails disguised as export/import shipment-related emails or quotations, making it crucial for recipients to exercise caution.
UUEncoding: A Method to Bypass Detection
According to Ahnlab reports, Attackers distribute VBS script files encoded using the UUEncoding method through attached files.
UUEncoding, short for Unix-to-Unix Encode, is used for data exchange between Unix systems.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
It encodes binary data into ASCII text format, which can help bypass detection mechanisms.
The structure of the UUE (UUEncoding) file consists of a header (begin), encoded data, and an end (end). When decoded, the obfuscated VBS script is revealed, as shown below.
Downloader: The Path to Infection
The VBS script is executed by saving a PowerShell script in the %Temp% path with the file name Talehmmedes.txt.
This PowerShell script accesses a malicious URL and downloads a file named Haartoppens.Eft to the %AppData% path, and additional PowerShell scripts run.
The additional PowerShell script is also obfuscated to interfere with analysis. Its main function is to load shellcode into the wab.exe process.
The shellcode registers a registry to maintain persistence and loads additional data by accessing another malicious URL. The final malicious code executed is Remcos RAT.
Remcos RAT: The Final Payload
Remcos RAT collects system information through a specific URL, saves keylogging data as mifvghs.dat in the %AppData% path, and transmits it to the Command & Control (C&C) server.
C&C Server Information
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
Users should refrain from executing attachments in emails from unknown sources.
If an attachment has been downloaded, avoid executing (allowing) macros.
Ensure that the security settings of document programs are set to a high level to prevent unintended functions from running.
Additionally, it is recommended to update the antivirus engine pattern version to the latest version.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers