Back

GoTo Meeting loads RAT via Shellcode Loader

May 13, 2024, 10 a.m.

Tags

rat
remcos
2024-05-08
dll sideloading
shellcode
rust
2024-05-09
2024-05-10
2024-05-13

External References

https://www.gdatasoftware.com/

https://otx.alienvault.com/

Description

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It employs techniques such as LNK file execution chains, DLL sideloading, and Rust-written shellcode loaders to decrypt and execute the Remcos RAT payload. The campaign targets various groups, including those interested in pornographic content, software installations, and tax-related documents.

Date

Published Created Modified
May 13, 2024, 9:47 a.m. May 13, 2024, 9:47 a.m. May 13, 2024, 10 a.m.

Indicators

e8e73adc7ba9f04cc0e1e0f403730ff790a7ff463cda8aaca5cbb6305bb7878e

db15a69d0ca99a99a6c6771ab9598bf8d93d29d036eff64f52dc262048bd8e39

d03d6785ca26c530dd3b43c9d75a576e2b1951523566b5de41aefdca1a9489a4

b87676d267712ec64e015c7a1aa689cd951a581841db4208a758aa1c0b16b68f

93439fe9b45d7b6e9fcdc5e68fd47677ea17025e4eabb6f1468cb9ae98ee8a5b

92fbfa17b4dd1c0353ef4d7bfb5649c3a916c4e2e58303538f83db65cc709b82

8e7eb07f9e6ff4d5e7db3dcf8bcbf909693cce12693a43c1ddd8b221cdf3a9e8

89ba909b743f9dee82f65586b62d258c2fd3992ed7367483f9754d9826912fe7

80fb32f8dbf88b78818f619e81a9fc12e3496e2f38a2a8b3a692752c53d38c4d

796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

70f551ccf085df38fec1bbe676814b1ce148a7320a3dfb89b85d975add56edb9

4ef76b942e041c20fd58858d73b4180688c828608d42604eabf41821981ce997

2cf4654964586aa6b4ce844121048e77881bcda3e7d6931e9608d41af3ee68da

15afec306455f3fc70738c6efcb8bca161fda013a8ae4cc4b3a8147741d0cb46

0f21a4ba2842f4d7f62fd2c2ca30cacf6aca7b8eaeb9d636c8b1c97ce925e46a

0d7a1679cde49c8c43a7140166c7c5077a20b93ead7359704a48850a13d534e5

00618af73c6963ea6e002a75c18eb2ea4e7e39b8aaf008e7cf3289c18d46a961

Attack Patterns

Remcos

T1096

T1547

T1106

T1036

T1204

T1027

T1053

T1566

T1078

T1059