Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malspam pushes GuLoader for Remcos RAT

Published: 2021-02-24
Last Updated: 2021-02-24 00:11:31 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Malicious spam (malspam) pushing GuLoader malware has been around for over a year now. GuLoader is a file downloader first observed in December 2019, and it has been used to distribute a wide variety of malware, especially malware based on remote administration tools (RATs).  I wrote a blog last year examining malspam using GuLoader for Netwire RAT.  And GuLoader activity has continued since then.

Today's diary reviews a case of malspam pushing GuLoader for Remcos RAT on Tuesday 2021-02-23.


Shown above:  Flow chart for the Remcos RAT infection reviewed in today's diary.

The malspam


Shown above:  Screenshot of the malspam.

The malspam is supposedly from someone in Lowes from Canada.  Below are some email headers associated with this message.

Received: from rz-medizintechnik.com (unknown [185.29.11.66])
Date: 23 Feb 2021 07:18:05 +0100
From: CHIRAG MARCUS <chirag.m@lowes-ca.org>
Subject: New Quotation 2021
Message-ID: <20210223071804.247143D567E6DCFA@lowes-ca.org>


As noted above, the sender is supposedly from lowes-ca.org, but this site is not associated with Lowes. That domain has an open directory for its web server, and it seems like it's being used for malicious purposes.


Shown above:  Lowes-ca.org when viewed in a web browser.

The attachment

I opened the attachment in my lab, but I was on a Windows 10 host running a recent version of Microsoft Office.  Initially, I didn't realize this was a document with an exploit targeting CVE-2017-11882.  I had to switch to an older Windows 7 host to get an infection.


Shown above:  Screenshot of the attachment opened in Excel.

The infection traffic

Infection traffic was typical for what I've seen with previous GuLoader infections for some sort of RAT-based malware.  In this case, the infected Windows host was unable to establish a TCP connection with the server used by this sample for Remcos RAT.


Shown above:  Traffic from the infection filtered in Wireshark.

Forensics on the infected Windows host

The infected Windows host had GuLoader persistent on the infected host using a registry update.  When rebooted, the GuLoader sample again retrieved the encoded binary for Remcos RAT.


Shown above:  GuLoader for Remcos RAT persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Associated malware:

SHA256 hash: 21c4c697c6cba3d1d7f5ae5d768bf0c1d716eccc4479b338f2cf1336cf06b8ad

  • File size: 2,231,808 bytes
  • File name: Lowes_Quotation_PN#1092021.xlsx
  • File description: Email attachment, Word doc with exploit for CVE-2017-11882

SHA256 hash: 6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df

  • File size: 106,496 bytes
  • File location: hxxp://mtspsmjeli.sch[.]id/Img/VOP.exe
  • File location: C:\Users\[username]\AppData\Roaming\win.exe
  • File description: Windows EXE, GUI Loader for Remcos RAT

Infection traffic:

GuLoader EXE retrieved through CVE-2017-11882 exploit:

  • 103.150.60[.]242 port 80 - mtspsmjeli.sch[.]id - GET /Img/VOP.exe

GuLoader retrieves encoded data for Remcos RAT:

  • 103.150.60[.]242 port 80 - mtspsmjeli.sch[.]id - GET /cl/VK_Remcos%20v2_AxaGIU151.bin

Remcos RAT post-infection traffic:

  • 192.253.246[.]142 port 2009 - hsyuwbvxczbansmloiujdhsbnbcgywqauaghxvz.ydns[.]eu - attempted TCP connections

Final words

We continue to see new malware samples using exploits based on CVE-2017-11882 in the wild.  This vulnerability is over 3 years old, and exploits targeting it are not effective against the most recent versions of Microsoft Windows and Office.  The only reason we continue to see these new samples is because distributing exploits based on CVE-2017-11882 remains profitable.  That means a substantial number of people still use outdated versions of Microsoft Office and/or Windows that are not properly patched or updated.

GuLoader has been a relatively a constant presence in our threat landscape since it was discovered in December 2019, so I expect we'll also continue to see new samples for various RAT-based malware in the weeks and months ahead.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Qakbot in a response to Full Disclosure post
Feb 23rd 2021
1 day ago by Jan (0 comments)

Unprotecting Malicious Documents For Inspection
Feb 22nd 2021
2 days ago by DidierStevens (0 comments)

DDE and oledump
Feb 21st 2021
3 days ago by DidierStevens (0 comments)

Quickie: Extracting HTTP URLs With tshark
Feb 20th 2021
4 days ago by DidierStevens (0 comments)

Dynamic Data Exchange (DDE) is Back in the Wild?
Feb 19th 2021
5 days ago by Xme (0 comments)

Malspam pushing Trickbot gtag rob13
Feb 17th 2021
1 week ago by Brad (0 comments)

The new "LinkedInSecureMessage" ?
Feb 17th 2021
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

PFSense
created Dec 23rd 2020
2 months ago by bas.auer@auerplace.nl (4 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
3 months ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
4 months ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
5 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
5 months ago by Martin (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
3 months ago by Xme (0 comments)

Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?
Dec 5th 2020
2 months ago by Guy (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
3 months ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
4 months ago by Brad (0 comments)