Hackers are increasingly turning to advanced techniques to distribute malware, notably using steganography to conceal and deploy the Remote Access Trojan (RAT) known as RemcosRAT. This method involves hiding malicious code within image files that appear innocuous, marking a sophisticated evolution in cyberattack methods. The initial stage of the attack typically involves a Word document that employs a template injection technique to exploit vulnerabilities within the document’s processing system. Once the user opens the document, it triggers the download and execution of an RTF file which exploits a known vulnerability in Microsoft Word’s equation editor, leading to further malicious activities.
The attack progresses as the RTF file downloads a VBScript with a deceptive “.jpg” file extension from a command and control (C2) server. This script is heavily obfuscated to evade detection by antivirus software and executes a PowerShell command to download an additional image file from an external source. The craftiness of the attack lies in the image itself, which contains Base64 encoded data hidden behind what is typically the end marker of a JPEG file. The PowerShell script locates this hidden data, decodes it, and reveals a .NET DLL file, which is then executed through reflective code loading, allowing the malware to run directly in memory without being written to disk.
Further complicating the malware’s deployment, the script continues to download additional files from the C2 server and uses a process hollowing technique with RegAsm.exe to execute these files. This method effectively conceals the execution of RemcosRAT, ultimately leading to its operation on the victim’s machine. RemcosRAT itself is a powerful tool for cybercriminals, allowing them to gain comprehensive control over an infected device, from capturing keystrokes to activating the webcam, and more.
Given the sophistication and stealthiness of this new malware distribution method, users are urged to remain vigilant. This includes being cautious with email attachments, avoiding downloads from unreliable sources, and keeping antivirus software up to date. The use of steganography in malware attacks represents a significant shift in the landscape of cyber threats, emphasizing the need for enhanced cybersecurity practices and user awareness to combat these evolving risks.
