RemcosRAT Distributed Using Steganography - ASEC
By ATCP
Published: 2024-04-24 · Archived: 2026-04-05 19:09:19 UTC
AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the
steganography technique. Attacks begin with a Word document using the template injection technique, after which
an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.
The RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from
“paste.ee”, a service similar to “Pastebin” where one can upload text for free.
https://asec.ahnlab.com/en/65111/
Page 1 of 5

The downloaded VBScript is obfuscated with many special characters and ultimately executes a PowerShell script
through Replace.
This PowerShell script downloads an image uploaded to an external source. The image file contains the data
encoded in Base64 behind “FF D9” which denotes the end (footer) of the jpg file. It then loads the data between
the strings “<<BASE64 START>>” and “BASE64_END” to decode it in Base64. The decoded data is “.NET
DLL” which is given 6 arguments and executed through reflective code loading.
https://asec.ahnlab.com/en/65111/
Page 2 of 5

The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child
process to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.
https://asec.ahnlab.com/en/65111/
Page 3 of 5

Because Remcos RAT is distributed in many ways including spam emails and under the guise of crack software
download links, users are advised to practice particular caution. In addition, they must update V3 to the latest
version to prevent malware infection in advance.
File Detection
Downloader/VBS.Agent.SC199181 (2024.04.19.00)
Data/BIN.Encoded (2024.04.18.03)
Downloader/VBS.Agent.SC198254 (2024.03.19.03)
RTF/Malform-A.Gen (2024.03.19.01)
Behavior Detection
Execution/MDP.Powershell.M2514
Reference
1) https://www.cyfirma.com/research/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/
MD5
6605b28a03ea7caa3a40451cbbc75034
https://asec.ahnlab.com/en/65111/
Page 4 of 5

b06fe78aad12f615595040308affc0d8
c7603f1da9d5ebb35076f285eb374ba6
f5a49410d9ea23dc2cf67d7d3ba8fad0
fdfd9e702f54e28dc2ca5f7c04bf1c8f
Additional IOCs are available on AhnLab TIP.
URL
http[:]//192[.]210[.]201[.]57[:]52748/
http[:]//ur8ly[.]com/asy2xr
https[:]//paste[.]ee/dEh1G4
Additional IOCs are available on AhnLab TIP.
IP
Additional IOCs are available on AhnLab TIP.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click
the banner below.
Source: https://asec.ahnlab.com/en/65111/
https://asec.ahnlab.com/en/65111/
Page 5 of 5

  https://asec.ahnlab.com/en/65111/    
The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child
process to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.
   Page 3 of 5