Full Report
AhnLab SEcurity intelligence Center (ASEC) has recently discovered the Remcos malware disguised as a waybill from a major shipping company. This article details the distribution distribution flow from HTML, JavaScript, and AutoIt scripts leading to the execution of the final Remcos malware. Figure 1 shows the original email with an HTML script attached. Upon […]
Analysis Summary
# Tool/Technique: Remcos RAT
## Overview
Remcos RAT is a Remote Access Tool malware distributed in this instance via a sophisticated phishing campaign masquerading as a shipping company waybill. The infection chain involves HTML, JavaScript, and AutoIt scripts leading to the execution of the final Remcos binary injected into a legitimate process.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows (Inferred from AutoIt, Registry usage, and file operations)
- Capabilities: Remote command execution, information stealing, process injection, persistence establishment.
- First Seen: N/A (Remcos has existed for some time, this specific campaign is noted March 31, 2025)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- TA0002 - Execution
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Inferred via AutoIt execution)
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- TA0004 - Privilege Escalation
- T1055 - Process Injection
- T1055.012 - Process Injection: Process Hollowing
## Functionality
### Core Capabilities
- **Staged Execution:** Utilizes a series of files (HTML > JS > AutoIt script loader/payload) to deliver the final payload.
- **Anti-Analysis/Anti-Debugging:** The malicious AutoIt script detects and terminates itself if an anti-malware program is running or if the executing user name is "John."
- **Persistence:** Registers an auto-run entry in the Windows Registry to ensure continuous execution upon system startup.
- **Payload Delivery:** Downloads secondary files (e.g., `knkfcutogchunsg.bls`, `wtine.amv`, `fdilfn.dll`) using URLs formatted in the "blob" format within the HTML script.
- **Remote Access:** Once executed, the Remcos RAT can steal information and execute remote commands via C2 communication.
### Advanced Features
- **Process Injection:** The malware shellcode leverages a sequence of API calls (`CreateProcessW`, `RtlMoveMemory`, `ZwUnmapViewOfSection`, `VirtualAllocEx`, `WriteProcessMemory`, `GetThreadContext`, `SetThreadContext`, `ResumeThread`) to inject the Remcos binary into the legitimate process `RegSvcs.exe`.
- **File Role Segmentation:**
- `knkfcutogchunsg.bls`: Configuration file defining malware locations, Run key names, and output file names.
- `wtine.amv`: Encoded Remcos malware binary.
- `kmwdx.txt` (EXE): Legitimate AutoIt loader used to execute the malicious script.
- `fdilfn.dll`: Malicious AutoIt script containing decryption and injection logic.
## Indicators of Compromise
- File Hashes:
- MD5: `9fdde6d01baeb36a5e770c7fbfc0aafb`, `a224a99613680c9f62222278eabdca6d`, `c33a090d46bf270d49280178326a3616`, `e3765da77fefd90e2a7e1fe50029a1d8`
- File Names:
- `747031500 D747031500_A.js`
- `knkfcutogchunsg.bls`
- `wtine.amv`
- `kmwdx.txt` (Loader)
- `fdilfn.dll` (Malicious AutoIt Script)
- Registry Keys: Autorun registry key used for persistence (Specific key/value names inferred from `knkfcutogchunsg.bls` and Figure 11).
- Network Indicators: `http[:]//favor-grace-fax[.]home-webserver[.]de/` (C2/Download URL)
- Behavioral Indicators: Creation and execution of multi-stage scripts (HTML, JS, AutoIt), injection into `RegSvcs.exe`.
## Associated Threat Actors
- AhnLab SEcurity intelligence Center (ASEC) observed this specific campaign; no specific threat actor group was named in the context provided.
## Detection Methods
- Signature-based detection: Hashes listed above.
- Behavioral detection: Monitoring for chained execution originating from scripting languages (HTML/JS) leading to AutoIt execution, and subsequent process injection into `RegSvcs.exe`. Detection of file creation/dropping sequence.
- YARA rules: Not explicitly provided in the summary.
## Mitigation Strategies
- **Email Security:** Implement robust filtering for suspicious email attachments (especially HTML/JS combinations). Educate users to be wary of unsolicited waybills/documents.
- **System Hardening:** Restrict execution of scripting engines via application whitelisting where possible.
- **Process Integrity:** Monitor for unusual process injection, especially targeting system processes like `RegSvcs.exe`.
- **User Provisioning:** Avoid using common usernames like "John" on critical systems, as this could be used for malware evasion.
## Related Tools/Techniques
- SVG Phishing Malware (Mentioned in previous post tag, suggesting similar distribution vectors or email themes).
- Other RATs relying on multi-stage scripting loaders.