www.cyfirma.com Open in urlscan Pro
2606:4700:10::ac43:18d6  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Company
 * Products
   
   PRODUCTS
   
    * DeCYFIRThreat Visibility and Intelligence
    * DeTCTDigital Risk Discovery
    * DeFNCECyber Defence Mobile App

 * Partners
   
   PARTNERS
   
    * Channel Partners
    * Technology Partners

 * Resources
   
   RESOURCES
   
    * Research
    * Blogs
    * Newsroom
    * Datasheets
    * Whitepapers
    * Case Studies

 * Get Started
 * Contact Sales

 * Global (English)


 * Global (English)


EXPLOITING DOCUMENT TEMPLATES: STEGO-CAMPAIGN DEPLOYING REMCOS RAT AND AGENT
TESLA



Published On : 2024-03-05
Share :
 * 
 * 
 * 




EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats
and malicious tactics affecting both organizations and individuals. Our research
team recently identified a malicious .docx file linked to the stego-campaign,
revealing a sophisticated cyber threat.

This campaign utilizes template injection in a Microsoft Office document to
bypass traditional email security measures. Upon opening the document, a
multi-stage attack is triggered, involving the download and execution of scripts
and the deployment of the Remcos Remote Access Trojan (RAT) and malware “Agent
Tesla”.

The Remcos RAT grants threat actors’ extensive control, enabling activities such
as remote control, keylogging, data theft, screenshot capture, file
manipulation, and command execution. Additionally, the attack introduces Agent
Tesla, a .NET-based RAT and data theft tool. The report meticulously outlines
the entire attack chain, emphasizing the evolving tactics of threat actors.


INTRODUCTION

Our research team analysed the malicious .docx exploiting template injection
within a Microsoft Office document, cleverly evading traditional email security
measures. Upon opening the document, a multi-stage attack is initiated,
involving the download and execution of scripts and the deployment of other set
of malwares.

The report explores the complex process where a VB script, leveraging
PowerShell, downloads a JPG image concealing a .NET payload encoded in base64
using steganography. The execution of the .NET assembly retrieves the Remcos RAT
payload, invoking its malicious operations. Additionally, the analysis uncovers
connections to a Command and Control (C2) server for the download and deployment
of Agent Tesla.

Following is the control flow of the process:




KEY POINTS

 * The malicious .docx file is possibly distributed through spam or phishing
   emails. It leverages template injection to bypass email security measures.
   Opening the document triggers connections to a remote URL.
 * The document contains a seemingly benign table but conceals a targeted
   approach, possibly directed at “General Electrics, Taiwan.”
 * Next stage downloaded RTF file, leveraging the Equation Editor Vulnerability
   (CVE-2017-11882), to initiate an attack chain. The RTF document contains
   embedded malicious code, leading to the download and execution of scripts.
 * Visual Basic and PowerShell scripts are employed to dynamically build and
   execute URLs, fetch content, and execute retrieved content.
 * The explanation outlines how a VB script, executed through PowerShell, is
   involved in downloading a JPG image. The JPG image serves as a container for
   a hidden .NET payload encoded in base64, utilizing steganography. The
   execution of the .NET assembly is responsible for retrieving the malware
   payload Remcos RAT. This retrieval involves downloading the malware,
   injecting it, and invoking its malicious operations.
 * The threat actors exploit legitimate Living Off the Land Binary (LoLBin)
   binaries, such as “RegAsm” and “WinRm,” to accomplish their malicious
   objectives.
 * This is a multistage attack involving the download of the next-stage malware
   from servers and open directories controlled by the threat actor. The process
   incorporates highly obfuscated scripts and binaries.
 * The final payloads are Remcos RAT and Agent Tesla. Remcos RAT is injected
   into the legitimate “RegAsm.exe” process, demonstrating sophisticated evasion
   techniques. While Agent Tesla is downloaded later and executes as child
   process of “RegAsm.exe”.


ETLM ATTRIBUTION

The Cyfirma research team consistently explores emerging threats, malware, and
Tactics, Techniques, and Procedures (TTPs) employed by threat actors. We
actively monitor existing threats, track ongoing campaigns, assess their
progress, and stay vigilant for any novel developments within this landscape.

Building on these ongoing efforts, we have uncovered a recent malicious .docx
file in the wild, associated with the persistent stegno-Campaign that has been
active since last year. This campaign earns its name from the utilization of
steganography, a technique involving the embedding of malicious code or malware
within image files. The objective is the deployment of commodity malware, such
as Agent Tesla, Remcos RAT, and XWorm. The attack we’ve identified is complex
and multi-staged, encompassing various phases, including downloading, decoding,
injection, and execution of additional malicious code, scripts, and binaries to
compromise the targeted machine.

After accessing the malicious .docx file, users are redirected to a harmful URL,
initiating the next stage of the attack. Simultaneously, the victim is
confronted with the following decoy document, concealing the commencement of
malicious activities in the background. These activities encompass the download
and execution of scripts and malware. The document, seemingly benign, comprises
a table featuring project details, buyer information, and payment particulars,
with a notable “Confidential” designation. The inclusion of “General Electrics,
Taiwan” in the document indicates a potential targeting of GE and its vendors in
Taiwan.



The following is the email used to send this malicious document. The
malicious.docx file is attached as an attachment. This email body employs a
social engineering tactic by masquerading as a legitimate inquiry regarding an
order. The sender urges the recipient to open the attached document for
confirmation, introducing a malicious payload.



According to the information extracted from the email headers, the originating
IP address is identified as “119[.]63[.]80[.]29.” Further analysis through OSINT
indicates that this IP address is associated with email spam categorization. The
presence of this tag suggests a potential association with unsolicited and
unwanted email communication,



We have identified additional instances of similar samples. Notably, the
existence of only a limited number of analogous samples is a noteworthy
observation. What adds significance to this discovery is the fact that all these
samples share a common upload date. This synchronous same date strongly suggests
a deliberate and coordinated effort, indicating the possibility that these
samples were intentionally sent to their targets on the same day, thus
emphasizing an indication that it is possibly a purposeful campaign rather than
random activity.



By consistently monitoring emerging threats, malware, and Tactics, Techniques,
and Procedures (TTPs) employed by threat actors, the team identified malicious
.docx file linked to this ongoing campaign. The utilization of steganography in
embedding malicious code within image files underscores the adversary’s
commitment to evading traditional security measures.

The multistage attack, involving template injection, VB scripts, PowerShell, and
exploitation of legitimate binaries like “RegAsm” and “WinRm,” reflects a high
level of sophistication. The presence of well-known malware such as Remcos RAT
and Agent Tesla, coupled with the strategic mentioning of an entity in Taiwan,
points to a campaign orchestrated with purpose.

This recognition highlights the commitment of the Cyfirma Research team to
diligently anticipate and scrutinize emerging cyber threats, providing
invaluable insights to fortify the resilience of the cybersecurity landscape.


ANALYSIS

Basic Details:
MD5: 7e9afffcd5105a119308bc5e1289fda4
SHA256: 29325e23a684f782db14a1bf0dc56c65228e666d1f561808413a735000de3515
File Type: MS Office Open XML Document (DOCX)

When a Microsoft document file, such as a docx, is opened, Microsoft Office
typically loads a default template. However, it’s easy to define or modify a
template by updating a setting. This presents an opportunity for malicious
actors to weaponize a seemingly benign document for phishing campaigns. They can
achieve this by sending a seemingly harmless Microsoft document file that
references a remote malicious template. This template is only fetched and loaded
when the decoy file is opened, allowing it to effectively bypass existing email
security measures.

The threat actor in this case employs the same technique known as template
injection. The manipulated setting instructs winword.exe to access a specific
target (in this case,
“http[:]//someofthelovercantbuyhappinessfromthe@shtu[.]be/5f0848”) when the
victim opens the document.



Upon opening the document, it connects to the URL specified above, defined as
the target in the document and displays the decoy document to the victim.



The malware authors use an online URL shortener service for resolving the final
address.



It further downloads an RTF file with the name
“mydearcutieireallyloveryoualwaysforgreatthingshappenedinsideofusforloverstogetreadyforthepointounderstandtheupdationforproccess.doc”
by connecting to URL
“http[:]//107[.]173[.]4[.]15/gbn/mydearcutieireallyloveryoualwaysforgreatthingshappenedinsideofusforloverstogetreadyforthepointounderstandtheupdationforproccess.doc”.
The order of redirection is as follows:

 * “http[:]//shut[.]be/5f0848”
 * “http[:]//107[.]173[.]4[.]15/gbn/mydearcutieireallyloveryou”
 * “http[:]//107[.]173[.]4[.]15/gbn/mydearcutieireallyloveryoualwaysforgreatthingshappenedinsideofusforloverstogetreadyforthepointounderstandtheupdationforproccess[.]doc



The RTF document has embedded malicious code. It Leverages the Equation Editor
Vulnerability (CVE-2017-11882) to trigger the download of the subsequent
payloads in the attack chain.



The process utilizes the legitimate executable “EQNEDT32.EXE” to initiate the
execution of malicious shellcode. The purpose is to download VB script file from
the specified URL and execute.



Further, the command “C:\Windows\System32\WScript.exe”
“C:\Users\Username\AppData\Roaming\modernlover.vbs” invokes the Windows Script
Host to execute the malicious VBScript file “modernlover.vbs”.

This script dynamically builds the URL “https[:]//paste[.]ee/d/amGOG”, fetch
content from that URL, and then execute the retrieved content using
ExecuteGlobal.



The URL https[:]//paste[.]ee/d/amGOG fetches the following highly obfuscated
code, which is the actual code for VB script which on running decode, creates
another string “$codigo” and runs it through powershell command.



The above obfuscated code is decoded into a powershell command, the command for
execution is stored in variable “$codigo”, which is also obfuscated. We further
decoded it, and the result is the powershell script, which gets executed.



The script downloads data from random URLs, looks for a base64-encoded command
in the downloaded data, decodes and executes it.

The code takes an array of URLs as input:

 * “https[:]//uploaddeimagens[.]com[.]br/images/007826222”,
 * “http[:]//45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg?1707826222”,
 * “http[:]//45[.]74/xampp/bkp/vbs_novo_new_image[.]jpg”



It creates a WebClient object to download data from URLs. It shuffles and
downloads data from the random URL. If data is successfully downloaded, it
converts the byte data to a UTF-8 encoded string ($imageText). It searches for a
base64-encoded command between specified start and end flags in the downloaded
data. If a valid base64 command is found, it decodes it, loads it as an
assembly, and invokes a specific method (‘VAI’).

In our case, the script retrieved data in the form of a JPG image file from the
specified URL,
“http[:]//45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg?1707826222”.



Within the JPG file content, malicious .NET code is concealed and encoded in
Base64 format, placed between the markers <<BASE64_START>> and <<BASE64_END>>.



We decoded the content and identified it as a .NET DLL.



The binary is 32-bit .NET DLL file having console subsystem. The compiler stamp
is as recent as of Feb-24 and named as “PROJETOAUTOMACAO.VB1.dll”.



As specified above the powershell script loads the .NET assembly, invokes the
method (‘VAI’) and also passes arguments to it. The script dynamically loads
this assembly into memory. The loaded assembly contains a static method called
VAI, the VAI method is invoked with the number of parameters, including URL
“http[:]//107[.]173[.]4[.]15/35005/HZA.txt” to download next stage payload
Remocs RAT and the file name “RegAsm” to inject with this malicious payload.



The VAI method downloads content/file with name “HZA.txt” from a reversed URL
“txt[.]AZH/50053/51[.]4[.]371[.]701//:ptth,” which is provided as a parameter,
which is later resolved and in actual is
“http[:]//107[.]173[.]4[.]15/35005/HZA.txt”.



The downloaded content undergoes a decoding process involving both reversal and
Base64 decoding. Upon decoding, it reveals the presence of the Remcos Remote
Access Trojan (RAT) as the ultimate payload.



This payload is then injected into the legitimate “RegAsm.exe” process,
showcasing a sophisticated evasion technique employed by malicious actors.



The Start method leverages HZA.vbs, which is the legitimate Windows “winrm.vbs”
LOLBin (Living Off the Land Binary). The method first checks whether the HZA.vbs
file exists in the specified directory, “C:\ProgramData.” If the file is not
present in this location, the method initiates a concealed PowerShell process to
copy the vbs file to the designated destination.



Subsequently, the method updates the registry key value under
“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to reference the newly created
HZA.vbs file. This tactic is commonly employed by malware for persistence,
ensuring that the script is executed during the startup process of the system.



LOLBins (short for “Living Off the Land Binaries”) are legitimated
Microsoft-signed binaries that threat actors can abuse for malicious purposes.
Threat actors abuse WinRM for various malicious activities, including lateral
movement, code execution, privilege escalation, and achieving persistence on
compromised systems.

The final payload is the Remcos RAT 32 -bit executable. The configuration data
has been retrieved from the binary. As indicated below, the configuration is
stored in the resource section of the binary, under the name “SETTINGS,”
mirroring the approach observed in prior versions of the Remcos RAT. The
configuration data is encrypted using the RC4 algorithm.



The initial byte indicates the length of the key, represented as “3B” in
hexadecimal (highlighted in red) decoded to “59” in decimal. This signifies that
the subsequent 59 bytes constitute the key (highlighted in yellow). The
encrypted configuration data is denoted by the code highlighted in black.



Upon extraction, the configuration data from the binary gives us following
details (highlighted in below screenshot):

 * C2: sembe.duckdns.org
 * Botnet Name: RemoteHost
 * File name: Remcos.exe
 * Logs Folder name: notees
 * Identifier/Mutex: Rmc-P0AEMX
 * Log File: logs.dat



It generates a mutex using the name “Rmc-P0AEMX” to ensure that multiple
instances are not executed simultaneously.



It generates a log file named “logs.dat” to facilitate keylogging. Located at ”
C:\Users\Username1\AppData\Roaming\notess\logs.dat” this file records all
activities, including keystrokes and data copied to the clipboard.



Remcos RAT established connection with IP “178.237.33.50” to collect geolocation
information. The IP belongs to geoplugin[.]net which provides geolocation
information based on source IP and various malware used it.



Moreover, it establishes a TCP connection to the IP address
“194[.]187[.]251[.]115” to retrieve the additional stealer “Agent Tesla”.



The execution of “Agent Tesla” takes place within the
“C:\Users\Username1\AppData\Local\Temp” directory and operates as a subprocess
of “RegAsm.exe” with name “New1.exe”.



The Remcos RAT is a sophisticated tool with versatile capabilities, enabling
threat actors to remotely control victim computers, perform keylogging, steal
data, capture screenshots, manipulate files, and execute commands. Its broad
range of functionalities underscores its potential for compromising user
privacy, exfiltrating sensitive data, and orchestrating system manipulations.
Initially introduced as commercially available malware in 2016, the Remcos RAT
has since been repurposed as a malicious instrument, exploited by threat actors
across various campaigns for unauthorized access and malicious activities.

The Agent Tesla identified is a .NET 32-bit binary with a GUI subsystem.



Agent Tesla, is a .Net-based Remote Access Trojan (RAT) and data theft tool,
normally serving as a means to obtain initial access, commonly utilized within
the Malware-As-A-Service (MaaS) framework. In this model, initial access brokers
(IAB), possessing expertise in exploiting corporate networks, collaborate with
criminal groups. Functioning as a primary-stage malware, Agent Tesla enables
remote access to compromised systems, facilitating the download of advanced
second-stage tools, such as ransomware.


CONCLUSION

The research reveals a sophisticated cyber threat orchestrated through a
stego-campaign, involving the deployment of a malicious .docx file. The
attackers utilize template injection to bypass traditional email security
measures, leading to a multi-stage attack. This attack includes the download and
execution of scripts, introducing the Remcos Remote Access Trojan (RAT) and the
Agent Tesla malware.

The Remcos RAT grants extensive control, enabling various malicious activities,
while Agent Tesla serves as a data theft tool. The attack chain incorporates
techniques such as template injection, Living Off the Land Binaries (LOLBins)
abuse, and steganography. Notably, the threat actors demonstrate evasion tactics
by injecting the Remcos RAT into the legitimate “RegAsm.exe” process. The
campaign showcases an adept understanding of obfuscation techniques and dynamic
script execution. Overall, this report underscores the complex and multi-stage
tactics of threat actors and the importance of proactive cybersecurity measures
to counter such advanced threats.


LIST OF IOCS

Sr No. Indicator Type Remarks 1 7E9AFFFCD5105A119308BC5E1289FDA4 MD5 File Hash
Sample .docx File 2 65efdcbd4bc64e6e48d82bfa31f710fd MD5 File Hash .doc RTF File
3 ce91eb459e4f6a9e2871088d855cd211 MD5 File Hash .NET (PROJETOAUTOMACAO.VB1.dll)
File 4 b1db2292ba6cdddc3237f97f0ee0324f MD5 File Hash Remcos RAT 5
ddb09774c5a870c73cf0cf71e6d97d3e MD5 File Hash JPG (vbs_novo_new_image.jpg) File
6 853c04a0494a2256e063583a4aab465b MD5 File Hash HZA.txt 7
85CBF9B1A0E3D8FDA14A86535E0692D9 MD5 File Hash HZA.vbs 8
9696B0F6AB7EAA2C312EEEB67B0E5F70 MD5 File Hash modernlover.vbs 9
E765E253ADA44CC90DF9E196DF0D1EF1 MD5 File Hash amGOG 10
85259BC31DECE470AF6778BD27F30488 MD5 File Hash New1.exe (Agent Tesla) 11
2672a881a5374e507c3ca3a152617c21 MD5 File Hash Similar Malicious .docx File 12
7ed7dfb7e823a6eb10591d86a2d25222 MD5 File Hash Similar Malicious .docx File 13
e85e113f938d9f64de952308c0ad8333 MD5 File Hash Similar Malicious .docx File 14
5f8d4be7bb31e0177d29df6f65abe6fc MD5 File Hash Outlook Email .msg File 15
http[:]//shut[.]be/5f0848 URL   16
http[:]//someofthelovercantbuyhappinessfromthe@shtu[.]be/5f0848 URL   17
http[:]//107[.]173[.]4[.]15/35005/modernlover[.]vbs URL   18
http[:]//45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg URL   19
https[:]//uploaddeimagens[.]com[.]br/images/004/739/227/original/new_image[.]jpg?1707826222
URL   20 http[:]//107[.]173[.]4[.]15/35005/HZA.txt URL   21
https[:]//paste[.]ee/d/amGOG URL   22 107[.]173[.]4[.]15 IP   23
45[.]74[.]19[.]84 IP   24 115[.]251[.]187[.]194 IP   25 178[.]237[.]33[.]50 IP  


MITRE ATT&CK TTPS

No. Tactic Technique 1 Initial Access (TA0001) T1566: Phishing T1566.001: Spear
phishing Attachment 2 Execution (TA0002) T1204: User Execution T1059.001:
PowerShell     T1059.005: Visual Basic 3 Persistence (TA0003) T1547.001:
Registry Run Keys/ Startup Folder 4 Defense Evasion (TA0005) T1211: Exploitation
for Defense Evasion T564.003: Hidden Window T1055: Process Injection T1027:
Obfuscated Files or Information 5 Discovery (TA0007) T1057: Process Discovery
T1082: System Information Discovery T1614: System Location Discovery T1217:
Browser Information Discovery 6 Collection (TA0009) T1115: Clipboard Data
T1056.001: Keylogging T1113: Screen Capture T1005: Data from Local System 7
Exfiltration (TA0010) T1041 – Exfiltration Over Command-and-Control Channel 8
Command and Control (TA0011) T1001.0012: Steganography T1071: Application Layer
Protocol


RECOMMENDATIONS

 * Deploy robust endpoint security solutions with advanced threat detection and
   prevention mechanisms to effectively identify and neutralize malicious
   activities.
 * Employ reputable antivirus and anti-malware software capable of promptly
   detecting and removing malicious payloads to enhance overall system security.
 * Ensure regular updates for operating systems, applications, and security
   software to address known vulnerabilities frequently exploited by threat
   actors.
 * Implement network segmentation to limit lateral movement, preventing malware
   from accessing critical assets and containing potential threats.
 * Conduct thorough employee training on phishing threats, emphasizing the
   dangers of opening attachments or clicking on links in unsolicited emails.
 * Educate employees to recognize social engineering tactics, empowering them to
   avoid falling victim to deceptive tricks that could lead to the execution of
   malicious files.
 * Configure firewalls to block outbound communication with known malicious IP
   addresses and domains linked to command-and-control servers.
 * Implement behaviour-based monitoring to detect unusual activity patterns,
   including suspicious processes attempting unauthorized network connections.
 * Enforce application whitelisting policies to permit only approved
   applications, preventing the execution of unauthorized or malicious
   executables.
 * Monitor network traffic for anomalous patterns, such as large data transfers
   to unfamiliar or suspicious IP addresses, indicating potential threats.
 * Create a comprehensive incident response plan outlining necessary steps in
   case of malware infection, including isolating affected systems and promptly
   notifying relevant stakeholders.
 * Stay informed with the latest threat intelligence reports and indicators of
   compromise related to malware to proactively identify and mitigate potential
   threats.
 * Implement regular backups of critical data and systems to minimize the impact
   of ransomware attacks or data loss due to malware infections.
 * Follow the principle of least privilege (PoLP) by restricting user
   permissions to those required for specific roles, limiting the impact of
   malware relying on elevated privileges.
 * Build and implement safeguarding measures by monitoring/blocking Indicators
   of Compromise (IOCs) and enhancing defense based on tactical intelligence and
   provided rules.

Back to Listing
 * 
 * 
 * 

 * Company
 * Solutions
 * Takedown Services
 * Products
 * Partners
 * Resources
 * Careers
 * Privacy Policy

SINGAPORE

Hong Leong Building, 16 Raffles Quay, Floor #09-01 & #10-01, Singapore 048581

INDIA

Goodworks Co work, Plot no 72 and 73, 3rd Floor, Akshay Tech Park, EPIP Zone,
Whitefield, Bangalore, Karnataka.

JAPAN

Otemachi One Tower, 6th Floor, 1-2-1 Otemachi, Chiyoda-ku, Tokyo, 100-0004
Tokyo, Japan

USA

1123 BROADWAY STE 301, NEW YORK, NY 10010

GERMANY

Opernplatz 14, 60313 Frankfurt am Main

SOUTH KOREA

10F, 373 Gangnam-daero, Seocho-gu, Seoul, Korea 06621

AUSTRALIA

Suite 20, 270 Blackburn Road, Glen Waverley, VIC, 3150

TAIWAN

9F, Second Building, No.96, Sec. 2, Zhongshan N. Rd., Taipei, Taiwan

VIETNAM

14th Floor, HM Town building, 412 Nguyen Thi Minh Khai, Ward 5, District 3, Ho
Chi Minh City

DUBAI

Unit JLT-PH2-RET-5, Cluster R, Jumeirah Lakes Towers, Dubai, UAE

Copyright CYFIRMA. All rights reserved.

×

Your iFrame Code