{"id":7552,"date":"2022-03-08T11:21:03","date_gmt":"2022-03-08T19:21:03","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7552"},"modified":"2024-04-26T13:20:07","modified_gmt":"2024-04-26T20:20:07","slug":"ukraine-war-malspam-delivers-remcos","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/ukraine-war-malspam-delivers-remcos\/","title":{"rendered":"\u201cUkraine war\u201d Malspam Delivers Remcos"},"content":{"rendered":"

Author: Nick Sundvall<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 2 and 3 March, Infoblox observed a malspam campaign that used messages related to Russia\u2019s invasion of Ukraine. This malspam campaign was attempting to lure users into opening an attached .xlsx file that downloads the Remcos remote access trojan (RAT). Infoblox has previously reported on malspam campaigns distributing Remcos.1,2<\/sup><\/p>\n

We observed multiple Ukraine-related malspam campaigns within the first week after the invasion. Some of them distribute donation or cryptocurrency scams; others distribute malware, such as Remcos.<\/p>\n

2. Customer impact<\/h3>\n

A German company called Breaking Security has been offering Remcos since 2016.3<\/sup> One of the versions offered is free and has a limited number of features, and the other version is paid and starts at 58 Euros. Although Remcos is marketed as a legitimate remote administration tool, it is frequently abused by threat actors and used for malicious purposes.
\nBreaking Security actively maintains and updates Remcos, with the latest update released on 10 February. The capabilities of Remcos include remotely controlling infected computers, logging keystrokes, and taking screenshots.<\/p>\n

3. Campaign analysis<\/h3>\n

In this campaign, the threat actor(s) send messages with a variety of different subjects, including Re: Ukraine war || Order SUCT220002. The body section is always empty. The attached file is named SUCT220002.xlsx.<\/p>\n

4. Attack chain<\/h3>\n

When a user opens the attachment, the file exploits a vulnerability in Microsoft Office\u2019s Equation Editor, CVE-2017-11882. The exploit downloads and runs an executable, Oqifkf.exe, from http:\/\/136[.]144[.]41[.]109\/HRC.exe. This executable then downloads and executes the final payload, remcos.exe, from http:\/\/136[.]144[.]41[.]109\/file\/Oqifkf.png. From here, Remcos reaches out to newremc22.ddns[.]net, a legitimate Dynamic DNS (DDNS) service, to get the IP address of the command and control (C&C) server, 212[.]192[.]246[.]175.<\/p>\n

\"\"<\/p>\n

5. Vulnerabilities and mitigation<\/h3>\n

Infoblox strongly recommends that businesses consider the following security measures:<\/p>\n