Summary:
Researchers identified active campaign deployments that involve the use of the Remcos remote access trojan (RAT) in conjunction with the TargetCompany ransomware. A noteworthy discovery was the utilization of fully undetectable (FUD) packers in the binaries, which enhanced their concealment capabilities when compared to past samples. Through a combination of telemetry data and external threat hunting resources, researcher acquired preliminary instances of these developments during their developmental stages. Notably, we encountered a recent case where this technique was employed against a distinct and targeted victim.[/subscribe_to_unlock_form]
Summary:
Researchers identified active campaign deployments that involve the use of the Remcos remote access trojan (RAT) in conjunction with the TargetCompany ransomware. A noteworthy discovery was the utilization of fully undetectable (FUD) packers in the binaries, which enhanced their concealment capabilities when compared to past samples. Through a combination of telemetry data and external threat hunting resources, researcher acquired preliminary instances of these developments during their developmental stages. Notably, we encountered a recent case where this technique was employed against a distinct and targeted victim.[emaillocker id="1283"]
A recent instance of TargetCompany ransomware has been identified, utilizing a multi-stage approach for persistence and deployment. The attackers exploit vulnerable SQL servers to establish persistence, with a focus on modifying URLs and paths until successfully deploying the Remcos RAT. After initial attempts were thwarted, they turned to fully undetectable (FUD) packers, resembling the BatCloak style, to enhance stealthiness. Notably, this variant incorporates Metasploit (Meterpreter) for various actions like querying and adding local accounts, deploying tools such as GMER, IObit Unlocker, and PowerTool, followed by the deployment of the Remcos RAT and TargetCompany ransomware, both wrapped in FUD packers.
Execution Flow
This campaign's unique loader strategy involves a CMDFile-based approach, differing subtly between malware families. While AsyncRAT, Remcos, and TargetCompany use the batch file technique, distinctions arise during execution and binary loading. Notably, Remcos and TargetCompany's loaders, although functional on both 32-bit and 64-bit systems, exhibit a bias toward 64-bit environments due to PowerShell's hard-coded path. Analysis reveals that the new TargetCompany variant is tied to a specific ransomware family version, connected to a command-and-control server with a distinct landing page. By identifying patterns in PowerShell-related network connections, samples of Remcos RAT were located, showing a correlation between Remcos executions and subsequent TargetCompany ransomware attacks.
The use of FUD packers poses a challenge for security solutions, demanding vigilant early detection and monitoring. While attackers continually innovate, security measures such as AI-based file checks, behavior monitoring, network blocking practices, and ransomware detection play crucial roles in mitigating these evolving threats. Organizations are advised to fortify their defenses, raise user awareness, and establish redundant security measures to counter intrusion attempts and malicious activities effectively.
Threat Profile:
References:
The following reports contain further technical details:
[/emaillocker]