Home  ›  Malware  ›  Malware Analysis

Remcos RAT Being Distributed via Webhards

on Post a Comment

While monitoring the distribution sources of malware in South Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the Remcos RAT malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.

Attackers normally use easily obtainable malware such as njRAT and UDP RAT, and disguise them as legitimate programs such as games or adult content for distribution. Similar cases were introduced in the previous ASEC blogs multiple times:

Figure 1. Uploaded posts
Figure 2. Malware disguised as an adult game being distributed via webhards

As shown in Figure 1, malware are being distributed via multiple games using the same method. The posts all have a guide that tells users to run the Game.exe file.

When the file is decompressed, the Game.exe file is present. Although it looks like a regular game launcher, the actual dll used to run the game exists separately, and the malicious VBS scripts are executed with the game file when you run Game.exe.

Figure 3. Malware disguised as a regular Game.exe file
Figure 4. Routine to execute malicious VBS scripts
Figure 5. Malicious files existing in the www\js\plugins folder

As shown in Figure 5, malware with malicious VBS exist in the www\js\plugins folder. What is ultimately executed is the ffmpeg.exe malware. The infection flow of the malware when it is executed is shown below.

Figure 6. Infection flow of malware

When ffmpeg.exe is executed, the “sexyz” string is split to extract the encrypted binary and the Key value from test.jpg. They are then injected into explorer.exe.

Figure 7. Parsing encrypted malware from test.jpg
Figure 8. explorer.exe injection logic

The injected malware downloads Remcos RAT through the C&C server shown in Figure 9 and attempts to perform additional behaviors by injecting it to ServiceModelReg.exe.

Figure 9. Logic used to download Remcos RAT
Figure 10. Remcos RAT main

As shown in the example, users need to take caution as malware are being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites.

[File Detection]
Trojan/Win.Injector.R630725 (2024.01.08.02)
Trojan/Win.Injector.R630726 (2024.01.08.02)
Trojan/VBS.Runner.SC195782 (2024.01.08.02)
Trojan/VBS.Runner.SC195783 (2024.01.08.02)
Trojan/BAT.Agent.SC195781 (2024.01.08.02)
Trojan/BAT.Agent.SC195785 (2024.01.08.02)
Trojan/VBS.Runner.SC195786 (2024.01.08.02)
Trojan/VBS.Runner.SC195787 (2024.01.08.02)
Trojan/VBS.Runner.SC195784 (2024.01.08.02)

[IOC]
Files
– ffmpeg.exe : 00bfd32843a34abf0b2fb26a395ed2a4
– ffmpeg.dll : 4d04070dee9b27afc174016b3648b06c
– test.jpg : 5193669c2968980c0e88a87fd4bf61c4
– passage.vbs : 2e6796377e20a6ef4b5e85a4ebbe614d
– passage2.vbs : b05de31c9c254eea1be1dc4c5a38672c
– passage.bat : 5574647e6e64cee7986478a31eecbae0
– passage2.bat : 629c21b1eee4e65eb38809302ae029f6
– space.vbs : ee198ab059b0e180757e543ab6e02bed
– sky.vbs : 2f6768c1e17e63f67e173838348dee58
– road.vbs : 36aa180dc652faf6da2d68ec4dac8ddf

C&C Servers
– kyochonchlcken.com/share/Favela.r6map
– kyochonchlcken.com/share/1.exe
– kyochonchlcken.com/share/BankG.r6map

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Remcos RAT Being Distributed via Webhards appeared first on ASEC BLOG.

Article Link: Remcos RAT Being Distributed via Webhards - ASEC BLOG

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Malware Malware Analysis
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment

Post a Comment