Full Report
Introduction Seqrite Labs recently identified a malware distribution campaign that abused the credibility of government institutions to increase infection success rates. The threat actors impersonated legitimate government departments and distributed malicious emails disguised as official notifications related to taxation, refunds, compliance requirements, and regulatory matters. By leveraging recognizable government branding, urgency, and financial incentives, the […] The post Behind the Refund: From GST Phishing to Remcos RAT Through a Multi-Stage .NET Infection Chain appeared first on Seqrite Labs.
Analysis Summary
# Tool/Technique: Remcos RAT (via .NET Staged Infection)
## Overview
This campaign utilizes high-urgency phishing emails impersonating the Indian Government’s GST (Goods and Services Tax) department. The attack employs a multi-stage .NET infection chain involving steganography (hiding code in bitmap images) and fileless execution to deploy the **Remcos RAT** (Remote Control & Surveillance Tool).
## Technical Details
- **Type**: Malware family (Remote Access Trojan)
- **Platform**: Windows
- **Capabilities**: Remote surveillance, credential theft, file management, and keylogging.
- **First Seen**: July 06, 2026 (Reported date)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1129 - Shared Modules
- **TA0005 - Defense Evasion**
- T1027.013 - Obfuscation: Steganography (Pixel-based encoding)
- T1620 - Reflective Code Loading
- T1055 - Process Injection
- T1140 - Deobfuscate/Decode Files or Information
- **TA0006 - Credential Access**
- T1056.001 - Input Capture: Keylogging
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Multi-Stage Loading**: Uses a primary loader to extract a second-stage DLL (**Windows Health Optimizer Plus.dll**) from a bitmap resource.
- **Steganography**: Encodes payload bytes into the RGB values of a bitmap image (Resource "AF") to evade static signature detection.
- **Reflective Loading**: Loads .NET assemblies directly into memory using `Assembly.Load()`, avoiding disk-based forensics.
- **Persistence**: Establishes auto-run capabilities via registry keys or startup folders to remain active after reboot.
### Advanced Features
- **Process Injection**: The final stage involves injecting the Remcos RAT payload into legitimate system processes.
- **Remote Surveillance**: Full GUI-based remote control of the victim's machine, including webcam and microphone access.
- **Information Stealing**: Targets browser credentials, cookies, and keystrokes.
## Indicators of Compromise
- **File Hashes (MD5)**:
- `3757dccb2adae65ccdf8d5e5c948b927` (Email file)
- `07d7d21c2c0920d198efb9ea54900a80` (RAR Archive)
- `20476F3A51DFDDF3DC0603FC7858D894` (Initial Executable/Loader)
- `7842D12D9E37C75076133BE5B9904CB2` (Windows Health Optimizer Plus.dll)
- `2a34bdd25b404737ee5d3b52bf0b3b70` (RemcosRAT Payload)
- **File Names**:
- `GST-Refund_July-26_AL27052600952P.com`
- `PerfGuard.dll`
- **Network Indicators**:
- C2 IP: `185[.]242[.]4[.]122`
- Domains: `_hath[.]network`, `synology[.]me`
- **Behavioral Indicators**:
- Unusual `.com` or `.exe` files extracted from tax-themed archives.
- Identification of `Assembly.Load` calls in .NET applications reading from resource bitmaps.
## Associated Threat Actors
- **Attribution**: Likely an India-focused Remcos operator or an Initial Access Broker (IAB). No specific named group was confirmed, but the actor uses infrastructure from M247 Europe SRL.
## Detection Methods
- **Signature-based**: Detection of known Remcos strings and .NET loader patterns (e.g., Seqrite detections: `Trojan.AgentCiR`, `Trojan.LoaderCiR`).
- **Behavioral**: Monitoring for "living-off-the-land" binaries (Lolbins) and reflective memory injection patterns.
- **Memory Scanning**: Scanning for decrypted Remcos agents residing in the memory of legitimate processes.
## Mitigation Strategies
- **Email Security**: Block attachments with high-risk extensions (.rar, .zip) from unknown senders; implement DMARC/SPF/DKIM verification.
- **User Training**: Educate users to verify government communications via official portals rather than email links/attachments.
- **Endpoint Protection**: Enable EDR solutions that monitor for reflective assembly loading and process hollowing.
- **Network Filtering**: Block traffic to known dynamic DNS providers used by commodity malware.
## Related Tools/Techniques
- **UACMe**: Often used in similar chains for privilege escalation.
- **GuLoader**: Similar use of steganography and shellcode to deliver RATs.
- **Agent Tesla**: Frequently delivered via similar government-themed phishing lures.