RemcosRAT Distributed Using Steganography

May 8, 2024, 5:22 p.m.

Description

Security researchers have discovered a campaign distributing RemcosRAT through a sophisticated infection chain involving steganography techniques. The attack starts with a malicious Word document exploiting template injection, leading to the download of an RTF file that leverages an equation editor vulnerability. Subsequently, obfuscated scripts are fetched to ultimately execute RemcosRAT via process hollowing, evading detection. This intricate operation highlights the evolving tactics employed by threat actors to distribute malware.

External References

https://asec.ahnlab.com/en/65111/
https://otx.alienvault.com/pulse/663b5c00050acad0c4e3ee16
Tags
obfuscation
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
steganography
remcosrat
process-hollowing
malicious-documents

Date

  • Created: May 8, 2024, 11:03 a.m.
  • Published: May 8, 2024, 11:03 a.m.
  • Modified: May 8, 2024, 5:22 p.m.

Indicators

  • 107.175.31.187
  • 192.210.201.57
  • http://ur8ly.com/asy2xr
  • ur8ly.com
Download all indicators here!

Attack Patterns

  • RemcosRAT
  • T1036.003
  • T1059.005
  • T1055.002
  • T1059.003
  • T1059.001
  • T1027.005
  • T1059.007
  • T1204.002
  • T1566.001
  • T1055
  • T1140
  • T1027
  • T1059