Threats Actors Delivering Remcos RAT Distributed as UUE (Uuencoding) File
.webp "Threats Actors Handing over Remcos RAT Dispensed as UUE (Uuencoding) File")
AhnLab Safety Intelligence Center (ASEC) has confirmed the accuracy of the Remcos RAT malware being dispensed thru UUE (UUEncoding) data compressed with Energy Archiver.
This sophisticated formulation of malware distribution has been noticed in phishing emails disguised as export/import cargo-connected emails or quotations, making it indispensable for recipients to reveal caution.
UUEncoding: A Potential to Bypass Detection
Per Ahnlab experiences, Attackers distribute VBS script data encoded using the UUEncoding formulation thru linked data.
UUEncoding, short for Unix-to-Unix Encode, is ancient for data exchange between Unix systems.
It encodes binary data into ASCII text format, which might perchance reduction bypass detection mechanisms.
The development of the UUE (UUEncoding) file consists of a header (open), encoded data, and an cease (cease). When decoded, the obfuscated VBS script is revealed, as shown beneath.
Downloader: The Course to Infection
The VBS script is accomplished by saving a PowerShell script within the %Temp% route with the file name Talehmmedes.txt.
This PowerShell script accesses a malicious URL and downloads a file named Haartoppens.Eft to the %AppData% route, and extra PowerShell scripts walk.
The extra PowerShell script is also obfuscated to interfere with evaluation. Its predominant feature is to load shellcode into the wab.exe route of.
The shellcode registers a registry to personal persistence and masses extra data by accessing one other malicious URL. The final malicious code accomplished is Remcos RAT.
Remcos RAT: The Remaining Payload
Remcos RAT collects design data thru a particular URL, saves keylogging data as mifvghs.dat within the %AppData% route, and transmits it to the Characterize & Again a watch on (C&C) server.
C&C Server Data
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
Customers might perchance perchance simply silent refrain from executing attachments in emails from unknown sources.
If an attachment has been downloaded, steer particular of executing (allowing) macros.
Originate obvious that the safety settings of file functions are space to a excessive level to cease unintended functions from working.
Additionally, it’s suggested to interchange the antivirus engine pattern version to basically the most up to the moment version.
Source credit : cybersecuritynews.com
