AhnLab’s Security Intelligence Center (ASEC) confirms the distribution of Remcos RAT malware concealed within UUE (UUEncoding) files compressed with Power Archiver. This sophisticated method of malware dissemination has emerged within phishing campaigns masquerading as export/import shipment-related emails or quotations, highlighting the necessity for recipients to exercise caution when handling suspicious emails. Utilizing UUEncoding enables threat actors to obfuscate VBS script files, evading detection mechanisms and facilitating the deployment of malicious payloads onto targeted systems.
Upon decoding, the concealed VBS scripts reveal a meticulously orchestrated sequence of actions leading to infection. The execution process begins with the VBS script saving a PowerShell script as Talehmmedes.txt in the %Temp% directory. Subsequent PowerShell scripts, obfuscated to impede analysis, drive the retrieval and execution of additional malicious files from designated URLs, perpetuating the infection chain and compromising system integrity.
The primary payload delivered by this intricate process is the Remcos RAT, a potent remote access trojan engineered to clandestinely infiltrate systems and exfiltrate sensitive information. Upon activation, Remcos RAT conducts reconnaissance activities, harvesting system data and logging keystrokes. This data is then transmitted to a Command & Control (C&C) server, providing threat actors with persistent access and control over compromised systems, thereby underscoring the severity of the threat posed by this malware campaign.
