{"id":1993,"date":"2024-09-25T10:26:58","date_gmt":"2024-09-25T10:26:58","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1993"},"modified":"2025-07-29T03:11:13","modified_gmt":"2025-07-29T03:11:13","slug":"analysis-of-remcos-js-campaign","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-remcos-js-campaign\/","title":{"rendered":"Analysis of Remcos JS Campaign"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"649\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/remcos.rat_.img_-1-1024x649.webp\" alt=\"remcos.rat\" class=\"wp-image-2000\"\/><figcaption class=\"wp-element-caption\">remcos.rat<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Remcos is a remote access trojan malware which is used to take remote control over infected PCs. Once Remcos RAT infects the system, a threat actor has the ability to execute remote commands on the user\u2019s system. Also, Remcos RAT gives them an option to run a keylogger and\/or conduct surveillance (audio + screenshots) activity on the system.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Target Platform: Windows<br>Target Attack&nbsp;&nbsp;&nbsp; : News agencies and businesses energy industry-related businesses.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Infection Chain<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"212\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-33.webp\" alt=\"\" class=\"wp-image-1994\"\/><\/figure>\n\n\n\n<p>Remcos RAT infects its victims by initial infection vectors of spam emails. This kind of email file comes with password-protected archives format attachments, which contains the JavaScript file. Usually, these .JS files are embedded with malicious URL to download the payload file, likewise it uses known infection from [tgc8x.XX] domain in-order to download the payload files.<\/p>\n\n\n\n<p>The initial vectors may vary depending on their targets and we all know that the threat actors perform basic reconnaissance methodologies to decide their infection vector.<\/p>\n\n\n\n<p><strong>Sample Information<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>File Type&nbsp; : JS<\/td><\/tr><tr><td>Sha256&nbsp;&nbsp;&nbsp; : 2fe8b40429901347bcb96dfcf519a2cfdf5e65ac87dcec593a8d3dc4ac2f9101<\/td><\/tr><tr><td>Campaign: Remcos RAT<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"350\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-32.webp\" alt=\"\" class=\"wp-image-1995\"\/><\/figure>\n\n\n\n<p><strong>Technical Analysis of Javascript<\/strong> <strong>loader<\/strong><\/p>\n\n\n\n<p>This sample is a plain text file that contains JavaScript code and executes JS instructions on a webpage. JavaScript files can contain variables, operators, functions, conditions, loops, arrays, objects, etc. Given below is a brief overview of the syntax of JavaScript.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Each command ends with a semicolon(;).<\/li>\n\n\n\n<li>Use the var keyword to declare variables.<\/li>\n\n\n\n<li>Supports arithmetic operators ( + &#8211; * \/ ) to compute values.<\/li>\n\n\n\n<li>Single line comments are added with \/\/ and multiline comments are surrounded by \/* and *\/.<\/li>\n\n\n\n<li>All identifiers are case-sensitive i.e., modelNo and modelno are two different variables.<\/li>\n\n\n\n<li>Functions are defined by using the function keyword.<\/li>\n\n\n\n<li>Arrays can be defined using square brackets [].<\/li>\n\n\n\n<li>JS supports comparison operators like ==, != , &gt;=, !==, etc.<\/li>\n\n\n\n<li>Classes can be defined using the class keyword.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-32.webp\" alt=\"\" class=\"wp-image-1996\"\/><\/figure>\n\n\n\n<p>The above-mentioned snapshot shows the entire content in the JS file, here the codes are encoded. If we decode it, we will get the decoded values.<\/p>\n\n\n\n<p><strong>Embedded Functions<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"447\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-32.webp\" alt=\"\" class=\"wp-image-1997\"\/><\/figure>\n\n\n\n<p>The decodeURIComponent() function is used to decode URI components. In other words, it is useful when you want a quick URL decode.<\/p>\n\n\n\n<p><strong>Get-Special folder specifications<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Constant<\/td><td class=\"has-text-align-center\" data-align=\"center\">&nbsp;Value<\/td><td>Description<\/td><\/tr><tr><td>WindowsFolder<\/td><td class=\"has-text-align-center\" data-align=\"center\">0<\/td><td>The Windows folder contains files installed by the Windows operating system.<\/td><\/tr><tr><td>SystemFolder<\/td><td class=\"has-text-align-center\" data-align=\"center\">1<\/td><td>The System folder contains libraries, fonts, and device drivers.<\/td><\/tr><tr><td>TemporaryFolder<\/td><td class=\"has-text-align-center\" data-align=\"center\">2<\/td><td>The Temp folder is used to store temporary files. Its path is found in the TMP environment variable.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Dropped PE File<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"385\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-31.webp\" alt=\"\" class=\"wp-image-1998\"\/><\/figure>\n\n\n\n<p>Once the C2 (command and control) server is connected or tunnelled, it proceeds to drop a payload file in the %Appdata%. From there, it will start the system infection and data exfiltration.<\/p>\n\n\n\n<p><strong>C2 Look-up in the Application Layer<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1002\" height=\"325\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/6-31.webp\" alt=\"\" class=\"wp-image-1999\"\/><\/figure>\n\n\n\n<p><strong>Once the system is infected, the following action will be performed<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contextual System Data\/User Information about the system may have been stolen.<\/li>\n\n\n\n<li>Using Brute forcing attack, the user credentials can be stolen.<\/li>\n\n\n\n<li>Keylogging and surveillance can be initiated by threat actor.<\/li>\n\n\n\n<li>Digital coins may have been stolen.<\/li>\n\n\n\n<li>The affected system may be susceptible to further attacks and\/or infection due to a backdoor that gets executed.<\/li>\n<\/ul>\n\n\n\n<p><strong>Indicators of Compromise<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><tbody><tr><td><strong>SHA256<\/strong><\/td><td><strong>MD5<\/strong><\/td><\/tr><tr><td>a7c61d6f42d0e533d477a174db81b336e4ae404f724f3328155bbc666268f5a5<\/td><td>c4f2576763220d60eeea5b677d01725a<\/td><\/tr><tr><td>3223aac4e7cc2029d14f30870b99219f9f201bcbf795eae40551673fd0ff695a<\/td><td>63263ac0034b115a15107ce7d23c0409<\/td><\/tr><tr><td>c051e8f43d4014d87a993c1dc7a74d63e1c20dc07d78101a1f939ecb01458289<\/td><td>df0591acc4b504c14963aca9b32057c0<\/td><\/tr><tr><td>7eaaced11febdf8831f3182ae2b6814337241f796518abd3fdfe42895f60f1e6<\/td><td>463c355eae409d2c0be9958ba6d6402a<\/td><\/tr><tr><td>38dce69db22d3fbdf2c68814de242a73f74cd4352435546e24c89ab1081837cb<\/td><td>24a8fabe45ee48f07827a85e5f5f3549<\/td><\/tr><tr><td>b7d3b37f7c05cf1d6c6d8d2bc63348c99c00d1c5c9eff1d0f454b68d84d6846e<\/td><td>929187ecd465043704b3b440ad89c70a<\/td><\/tr><tr><td>673883ceb7adf30ad980e5e51b7515414becba3b5f6b96068dc4d35b092799fe<\/td><td>2fa65dba9bc221cc045744cc52171a65<\/td><\/tr><tr><td>387fde69107f77b74ae2450be1e218dfe2da8985bed078413218927cd4a1acb5<\/td><td>aeb57b5a60161996c819f922736d3f27<\/td><\/tr><tr><td>547b33c42d62007a98e6c84389c7b5899dd05297224d631f7140393902adc62d<\/td><td>831ca1380578b2d686a8a45382c7bc38<\/td><\/tr><tr><td>16a4d15c7075523c55feff156b994e32baa5b06c93eb4aba10aa4bc5b2ab8d71<\/td><td>da093d6d837548663d07fa31a991fbe9<\/td><\/tr><tr><td>a3f38462f8217a7d4bec10fabd01cfaa1bc838f7f47d46e2d2ec6e40b1e3ad29<\/td><td>3c3ea22550c72f984ba52264c2805a0a<\/td><\/tr><tr><td>ae10310ee50166f5be6e4823b4371a7cc81604b15614f27ab3650d84151ed2ec<\/td><td>8583b2e8569bff2d57e9909a1f180ee7<\/td><\/tr><tr><td>9aac31952a39c176cdc29e4772ffbd80a108371dd42544239ea7f0be8cc0c0e7<\/td><td>29cc7f5018e5dd1ac0fec19b5cce40f6<\/td><\/tr><tr><td>3fb735b2a4f452ff18e26c450302c979ba8048cb42cc4baa11937e9b33a6f76d<\/td><td>79d98af46df94761cf66a3d64550cf50<\/td><\/tr><tr><td>650f2976689f2f58d3a9a626140771837516b160ca1388a197ce4e485829f39a<\/td><td>d4e3340f853c71caccbe9cd0ab164dfe<\/td><\/tr><tr><td>00defc287464d5bddd1009e40d52e5c5092ce132a7307084c6cbd3e482d2f42f<\/td><td>79dda667e14b48f2e1f8cfd1700d94e8<\/td><\/tr><tr><td>45327dec6e7063ada76f565669e15d66b46272f040c0db2a5c5904a161e0f4b2<\/td><td>50c2e1f56e529191d62b5378a814d550<\/td><\/tr><tr><td>045f049456a9a36a943be7255d7599ffbf872790a5f6099bffb3895d6d698a2c<\/td><td>54ba37ef1863ba9d853178fb67e78189<\/td><\/tr><tr><td>17196ecc5f7c062b7b74be70e7756d2bada738d032a3c9e50fa730e63a87235c<\/td><td>708b50fff65931c72f90a44743137476<\/td><\/tr><tr><td>ac6a8ed48137abc67a6538fa5b4e907a11e6883c59ddd2616dac6b16d9051efa<\/td><td>a19948c9558047da10f8769e6c26ec0f<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Remcos is a remote access trojan malware which is used to take remote control over infected PCs. Once Remcos RAT infects the system, a threat actor has the ability to execute remote commands on the user&rsquo;s system. Also, Remcos RAT gives them an option to run a keylogger and\/or conduct surveillance (audio + screenshots) activity [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2000,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1993","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1993"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1993\/revisions"}],"predecessor-version":[{"id":4176,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1993\/revisions\/4176"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2000"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}