Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware

March 18, 2021 | 4 minute read

Over the past year, the Cybereason Nocturnus Team has observed various trends among cyber criminals and nation-state groups leveraging various global events such as COVID-19 and other topical themes and trending issues as phishing content to lure their victims into installing their malware of choice.

As the tax season is already here, Cybereason detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content, ultimately delivering NetWire and Remcos - two powerful and popular RATs (remote access trojans) which can allow attackers to take control of the victims’ machines and steal sensitive information.

Key Points

  • Leveraging US Tax Season to lure victims: Each year, by April 15th, all US citizens are expected to deliver their tax returns. Cybereason detected a phishing campaign targeting US taxpayers.
  • Delivering two types of commodity malware: Two infamous remote access tools (RATs) are being used in this campaign, NetWire and Remcos, each manifesting as binaries delivered via malicious documents.
  • Evading heuristic and AV detection mechanisms: The malicious documents that infect the user are roughly 7MB in size, which allows them to evade traditional AV mechanisms and heuristic detection.
  • Abuse of legitimate cloud services: The infection chain uses cloud services such as “imgur” to store the Netwire and Remcos payloads, hidden in image files
  • Steganography: Payloads are concealed and downloaded within image files, combined with the fact they are hosted on public cloud services makes them even harder to detect.
  • Exploiting legitimate OpenVPN clients: As a part of the infection process, a legitimate OpenVPN client is downloaded and executed then sideloads a malicious DLL that drops NetWire/Remcos.

Background

The campaign bears resemblance to another campaign observed in April of 2020 which also delivered the NetWire RAT. Both NetWire and Remcos are commercial RATs that are available for purchase online for rather affordable prices of as little as US$10 per month. Both offer various licensing plans and following the Malware-as-a-Service (MaaS) model, offering their customers a subscription-based model with services such as 24/7 support and software updates:

Screen Shot 2021-02-22 at 17.18.51Screen Shot 2021-02-22 at 17.21.37Remcos and NetWire as offered on their websites

campaign analysis

tax infographics 2

Infection Vector: Lure Documents Containing a Malicious Macro

The infection vector that lures the users into installing the malware is a tax return themed Word document containing a malicious macro:

unnamed-4Malicious documents submitted to VirusTotal

Once the document has been opened, the content in the background is allegedly blurred, and the “Enable Editing” and “Enable Content” prompts must be manually confirmed by the user:

Screen Shot 2021-02-14 at 13.18.53Screen Shot 2021-02-14 at 13.17.15

 

 

 

 

 

 

 

Malicious documents content

This is a known social engineering method used to encourage the user to enable embedded macros to run on their machine. Once the malicious content is being executed, an embedded and heavily obfuscated macro is ran on the victim’s machine:

Screen Shot 2021-02-22 at 16.56.07A part of the embedded macro obfuscated code

The above code partially shows that the payload is eventually dropped in the users “Temp” directory:

Screen Shot 2021-02-18 at 17.57.31The DLL dropped by the macro code

Finally, the DLL is injected into notepad and continues the infection chain.

Loaders

The “sid.dll” loader that was dropped by the macro was observed to have at least two different variants: one is a loader for Remcos, and the other is a loader for NetWire. Looking at their exports, both loaders share the same “payload” exported method:

unnamed (1)The loader’s exported methods

Upon execution, the “payload” method starts decrypting data using a XOR key:

Screen Shot 2021-02-25 at 12.03.02Dat decryption methods of the NetWire loader

The first decrypted part is an additional executable code, and the second part is decrypting the URL the loader connects to in order to download the next execution stage:

Screen Shot 2021-02-25 at 12.06.02The decrypted initial C2 URL

Eventually, the malicious code is injected into “tracert.exe” that downloads the OpenVPN client along with a trojanized DLL file called “libcrypto-1_1.dll”, which will be side-loaded to the OpenVPN client upon execution. A similar process, most likely by the same threat actor, was mentioned earlier this year and describes documents that date back to middle 2020. It then creates a persistence for the VPN client by creating automatic execution of a .lnk file (C:\Users\%username%\AppData\Local\Temp\openvpn-gui.lnk).

OpenVPN DLL Sideloading

The malicious code in the sideloaded DLL unpacks an additional DLL in-memory and injects it into “notepad.exe”. A secondary payload hidden in an image file is then downloaded from “imgur.com”, a well-known cloud image storage service. The decrypted payload can be either NetWire or Remcos: 

Screen Shot 2021-03-14 at 14.24.55 Screenshot of an image concealing a malicious payload

Remcos

The features for the Remcos RAT can be found on its official website, and includes:

• Remote execution of shell commands on the infected machine

• Downloading and execution of additional payloads

• Screen capture

• Clipboard data management

The version that is used in this campaign is 3.0.0 professional, which also offers support and software updates:

Screen Shot 2021-02-22 at 18.07.16Remcos variant as seen in its code

netwire

NetWire has been active for years, and in 2019 a new version was spotted in the wild. Some of the most notable features of NetWire include:

• Downloading and execution of additional payloads

• File and system managers

• Screen capture

• Browser credentials and history theft

• Gathering information about the victim’s system

Similar to Remcos, the NetWire malware also contains indicative hardcoded strings:

Screen Shot 2021-02-22 at 19.18.07

NetWire hardcoded strings

Cybereason Detection and Prevention

The Cybereason Defense Platform detects the execution of a malicious Word document used in the operation:

pasted image 0-4

Once persistence is created in the first stage, the second stage of the attack is also detected, monitoring Remcos/NetWire injected into cmd.exe:

Screen Shot 2021-03-01 at 16.40.00

Corresponding Malops(™) are then triggered:

Screen Shot 2021-02-22 at 17.44.11

When the malicious sideloaded DLL is loaded by “openvpn-gui” in Prevention Mode, the Cybereason Defense Platform also detects the code injection into “notepad.exe” and prevents it from executing further:

Screen Shot 2021-03-01 at 18.54.18

Screen Shot 2021-03-01 at 19.07.09

Conclusion

Social engineering via phishing has been, and continues to be, the preferred infection method among cyber criminals and nation-state threat actors alike. In order to succeed, the threat actor must choose an interesting theme that is likely to lure its victim into opening the weaponized document or link.

In the campaign, we have demonstrated how cybercriminals are leveraging the US tax season to infect American taxpayers with the Remcos and NetWire remote access trojans, granting the malware operators full access and control over the victims’ machines. The sensitive information collected from the victims can be used by the attackers to carry out financial fraud or can be traded in the underground communities. 

Cybereason also noticed efforts by the threat actor designed the campaign to stay under the radar, using various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software.

Looking for the IOCs? Click on the chatbot displayed in lower-right of your screen.

 

MITRE ATT&CK BREAKDOWN

 

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Collection

Command & Control

Native API

Hijack Execution Flow: DLL sideloading

Process Injection

Deobfuscate/Decode Files or Information

OS Credential Dumping

System Time Discovery

Credential API Hooking

Ingress Tool Transfer

Exploitation for Client Execution

Event Triggered Execution: Application Shimming

 

Obfuscated Files or Information



Account Discovery

Input Capture: Credential API Hooking

Encrypted Channel

Command and Scripting Interpreter

Create or Modify System Process: Windows Service

 

Masquerading

 

System Service Discovery

Screen Capture

Remote Access Software

Scheduled Task/Job

   

Virtualization/Sandbox Evasion

 

File and Directory Discovery

Video Capture

Non-Application Layer Protocol

System Services: Service Execution

   

Obfuscated Files or Information: Steganography

 

System Information Discovery

Clipboard Data

Application Layer Protocol

     

Obfuscated Files or Information: Software Packing

 

Software Discovery: Security Software Discovery

   
         

Process Discovery

   
         

System Network Configuration Discovery

   

 

 

Daniel Frank
About the Author

Daniel Frank

Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.

All Posts by Daniel Frank