Remcos RAT Being Distributed via Webhards

by Prapattimynk, Monday, 15 January 2024 (1 month ago)
Remcos RAT Being Distributed via Webhards


While monitoring the distribution sources of malware in South Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the Remcos RAT malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.

Attackers normally use easily obtainable malware such as njRAT and UDP RAT, and disguise them as legitimate programs such as games or adult content for distribution. Similar cases were introduced in the previous ASEC blogs multiple times:

Figure 1. Uploaded posts
Figure 2. Malware disguised as an adult game being distributed via webhards

As shown in Figure 1, malware are being distributed via multiple games using the same method. The posts all have a guide that tells users to run the Game.exe file.

When the file is decompressed, the Game.exe file is present. Although it looks like a regular game launcher, the actual dll used to run the game exists separately, and the malicious VBS scripts are executed with the game file when you run Game.exe.

Figure 3. Malware disguised as a regular Game.exe file
Figure 4. Routine to execute malicious VBS scripts
Figure 5. Malicious files existing in the wwwjsplugins folder

As shown in Figure 5, malware with malicious VBS exist in the wwwjsplugins folder. What is ultimately executed is the ffmpeg.exe malware. The infection flow of the malware when it is executed is shown below.

Figure 6. Infection flow of malware

When ffmpeg.exe is executed, the “sexyz” string is split to extract the encrypted binary and the Key value from test.jpg. They are then injected into explorer.exe.

Figure 7. Parsing encrypted malware from test.jpg
Figure 8. explorer.exe injection logic

The injected malware downloads Remcos RAT through the C&C server shown in Figure 9 and attempts to perform additional behaviors by injecting it to ServiceModelReg.exe.

Figure 9. Logic used to download Remcos RAT
Figure 10. Remcos RAT main

As shown in the example, users need to take caution as malware are being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites.

[File Detection]
Trojan/Win.Injector.R630725 (2024.01.08.02)
Trojan/Win.Injector.R630726 (2024.01.08.02)
Trojan/VBS.Runner.SC195782 (2024.01.08.02)
Trojan/VBS.Runner.SC195783 (2024.01.08.02)
Trojan/BAT.Agent.SC195781 (2024.01.08.02)
Trojan/BAT.Agent.SC195785 (2024.01.08.02)
Trojan/VBS.Runner.SC195786 (2024.01.08.02)
Trojan/VBS.Runner.SC195787 (2024.01.08.02)
Trojan/VBS.Runner.SC195784 (2024.01.08.02)

[IOC]
Files

– ffmpeg.exe : 00bfd32843a34abf0b2fb26a395ed2a4
– ffmpeg.dll : 4d04070dee9b27afc174016b3648b06c
– test.jpg : 5193669c2968980c0e88a87fd4bf61c4
– passage.vbs : 2e6796377e20a6ef4b5e85a4ebbe614d
– passage2.vbs : b05de31c9c254eea1be1dc4c5a38672c
– passage.bat : 5574647e6e64cee7986478a31eecbae0
– passage2.bat : 629c21b1eee4e65eb38809302ae029f6
– space.vbs : ee198ab059b0e180757e543ab6e02bed
– sky.vbs : 2f6768c1e17e63f67e173838348dee58
– road.vbs : 36aa180dc652faf6da2d68ec4dac8ddf

C&C Servers
– kyochonchlcken.com/share/Favela.r6map
– kyochonchlcken.com/share/1.exe
– kyochonchlcken.com/share/BankG.r6map

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.