Highlights:

  • A new phishing campaign has been discovered by Check Point researchers in the last two months. This campaign targeted over 40 prominent companies in various industries within Colombia.
  • The attackers behind the phishing campaign aimed to install the “Remcos” malware on the victims’ computers. The potential outcomes of a Remcos infection include data theft, subsequent infections, and the takeover of accounts.
  • Check Point customers remain protected against threats described in this research

Executive Summary

Over the past two months, Check Point researchers have come across a novel large-scale phishing campaign that specifically targeted over 40 prominent companies spanning various industries in Colombia. The primary objective of the attackers was to surreptitiously implant the infamous “Remcos” malware onto victims’ systems.

This advanced malware, often likened to a versatile “Swiss Army Knife” RAT, bestows complete control to the assailants, allowing them to exploit the compromised computer for a range of nefarious purposes.

Remote access trojans (RATs) are malware designed to allow an attacker to remotely control an infected computer. Once the RAT is running on a compromised system, the attacker can send commands to it and receive data back in response.

The aftermath of a Remcos infection commonly encompasses data pilferage, subsequent malware infiltrations, and the hijacking of user accounts. Our comprehensive report delves into the intricate mechanics of the attack, spotlighting the cunning tactics employed by these malicious entities.

Attack Flow

  1. Fraudulent Email: The attackers start by sending fake emails that look like they’re from trusted sources like banks or companies in Colombia. These emails might talk about urgent matters, unpaid debts, or exciting offers.
  2. Email Attachment: Inside these emails, there’s a file attached that seems harmless, like a ZIP or RAR file. It says it has important documents or invoices to get you interested.
  3. Hidden Commands: The archive file contains a highly obfuscated Batch (BAT) file. Upon execution, the BAT file runs PowerShell commands which are also heavily obfuscated. This multi-layer obfuscation makes it difficult for security solutions to detect and analyze the malicious payload.
  4. Loading .NET Modules: The instructions make your computer load two important parts that are like tools. These modules are essential for the subsequent stages of the attack.
  5. First .NET Module: Evasion and Unhooking: The first tool’s job is to hide and trick your computer’s defenses. It tries to turn off the security stuff so the bad stuff doesn’t get caught.
  6. Second .NET Module: Loading “LoadPE” and Remcos: The second .NET module dynamically loads another component called “LoadPE” from the file resources. “LoadPE” is responsible for reflective loading, a technique that allows the loading of a Portable Executable (PE) file (in this case, the Remcos malware) directly into memory without the need for it to be stored on the disk.
  7. Reflective Loading with “LoadPE”: Using the “LoadPE” component, the attackers load the final payload, the Remcos malware, directly from their resources into the memory. This reflective loading technique further enhances the malware’s ability to evade traditional antivirus and endpoint security solutions, as it bypasses standard file-based detection mechanisms.
  8. The Final Payload: Remcos – Swiss Army Knife RAT: With the successful loading of the Remcos malware into memory, the attack is now complete. Remcos, a potent Remote Administration Tool (RAT), grants the attackers full control over the compromised system. It serves as a Swiss Army Knife for the attackers, allowing them to execute a wide range of malicious activities, including unauthorized access, data exfiltration, keylogging, remote surveillance, and more.

In the full technical research, The researchers’ report delves into the specifics of the attack, emphasizing the covert techniques utilized by the malicious actors to execute their campaign effectively.

Our analysis offers a glimpse into the intricate world of evasion techniques and deobfuscation procedures employed by attackers. By deciphering the hidden functionalities of the malicious BAT and .NET modules, we were able to shed light on the attack flow’s complexity. Understanding these technical intricacies is essential for enhancing cybersecurity defenses and devising effective countermeasures to protect against such advanced phishing campaigns.

Check Point customers remain protected from the threats described in this research.

Harmony Email & Collaboration detects and blocks the most advanced phishing attacks across inbound, outbound and internal communications, in real-time, before they reach end-users.

Leveraging Artificial Intelligence and machine learning, analyzing over 300+ indicators of phishing and ingesting data from ThreatCloud AI, Check Point’s dynamically updated service based on an innovative global network of threat sensors, Harmony Email & Collaboration reduces phishing reaching the inbox by 99.2%.

Check Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems and has developed and deployed a signature to detect and protect customers against threats described in this research.

 

Threat Emulation:

Technique.Win.Unhooking.B

Technique.Win.WrongFileExt.A

Technique.Win.UnhookingNtdll.A

 

Read the full technical research at https://research.checkpoint.com/

You may also like