Source linked

VHDX-Borne Remcos Campaign Evades 52 of 57 AV Engines

isc.sans.edu@threat_watch2 hours ago·Cybersecurity·3 comments

A JavaScript with a 5/57 VirusTotal detection rate used a VHDX container and WMI process creation to drop Remcos RAT, bypassing most security controls.

remcos ratvhdxpowershell obfuscationwmisans iscxavier mertens

A JavaScript file with just 5 out of 57 VirusTotal detections is the linchpin of a Remcos RAT campaign that uses a VHDX container and WMI execution to sidestep most first-line defenses. Xavier Mertens at SANS ISC broke down the full chain after a reader submitted the initial ZIP (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094).

VHDX as a Malware Container Unzipping that archive yields a VHDX file. Modern Windows automounts it, revealing a JavaScript named "Partnerschaft_fur_neue_Angebotsanfrage.js" ("Partnership for new quotation request"), clearly targeting German speakers. VHDX as a delivery mechanism has been seen before but fell out of favor. This campaign proves it still works: the container itself evades many scanners, and the JavaScript inside is heavily obfuscated with garbage comments.

WMI Bypasses Parent-Child Monitoring The JavaScript doesn't call PowerShell directly. Instead, it uses WbemScripting.SWbemLocator to connect to the local WMI service and calls Win32_Process.Create to launch a PowerShell script. That three-hop chain (JavaScript -> WMI -> PowerShell) looks far less suspicious than the direct parent-child relationship most EDR rules hunt. The PowerShell code is reconstructed from string concatenations littered with the word "bubble" as noise, stripped at runtime.

Three-Stage PowerShell Obfuscation Delivers Remcos Stage 2 PowerShell uses a function otidiform that Base64-decodes strings using the XOR key "Identificational" (consistent across all samples). It reconstructs commands like $global:unfishlike=::CreateInstance($formene). The script then downloads stage 3 from hxxps://cembusconfort.ro/Exoticisms121.dsp, saving it to %APPDATA%\Endocoel.Pro. That file (SHA256: 9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1) holds the next-stage payload appended at byte offset 143578. Stage 3 carves 20305 bytes of PowerShell code and uses System.Reflection.Assembly.Load to run a reflective.NET loader. The loader fetches the final Remcos payload from hxxps://cembusconfort.ro/YoHtJ27.bin and injects it into backgroundTaskHost.exe. The RAT communicates with C2 at animal342.duckdns.org:53552. Persistence is set via a Run key executing the PowerShell loader through cmd.exe. Every stage in this chain stays largely undetected by mainstream AV. The next time an email arrives with a VHDX attachment, that low VT score is exactly why you should treat it as guilty until proven innocent.

Source: From a VHDX File to a Remcos RAT, (Tue, Jun 16th)
Domain: isc.sans.edu

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Wallpaper Engine Malware Uses 'Application' Wallpapers to Steal Steam Accounts

Kaspersky found dozens of malicious application wallpapers on Steam Workshop, with 89% of downloads targeting Chinese gamers, using DarkKomet backdoor and info-stealers to hijack accounts.

Earth Lusca Drops Kernel-Level Windows Malware on Govs in 4 Countries

ESET found Windows variants of SprySOCKS that hide drivers signed with a leaked certificate and divert TCP traffic to cloak C2 channels.

Three Critical FortiSandbox Bugs Under Active Attack - Patch Now

Defused reports unauthenticated attackers are exploiting three critical FortiSandbox CVEs in the wild, with one exploit described as 'vibecoded' and likely faulty.

iRhythm's Breach Exposes 12 Million Patients After Social Engineering Hit

Cardiac monitoring firm iRhythm confirmed hackers stole protected health info from third-party apps after a social engineering attack. The company deemed the incident material within 24 hours.

Comments load interactively on the live page.