Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
AhnLab’s Security Intelligence Center reported ongoing distribution of the Remcos remote access trojan targeting users in South Korea. The payload is presented as legitimate VeraCrypt installers or as utilities promoted by illegal gambling sites, with delivery occurring through standard web browsing and Telegram channels. The infection flow is staged: a sequence of VBS and PowerShell scripts retrieves, drops, and launches components that culminate in Remcos execution. In the final step, the RAT is loaded and injected into AddInProcess32.exe, helping the activity blend into normal-looking process behavior.
Investigation
Analysts identified multiple malicious filenames associated with the campaign and confirmed that VBS dropper scripts are written and executed from the TEMP directory as part of the early-stage chain. The researchers also observed a .NET-based injector that leverages Discord webhooks for attacker communications. Configuration artifacts include mutex names and encrypted settings used to control runtime behavior. For collection, Remcos stores captured keystrokes under %ALLUSERSPROFILE%\remcos. Network telemetry highlighted three TLS endpoints tied to the operation, supporting scoping and blocking efforts.
Mitigation
Reduce exposure by blocking or tightly restricting execution of untrusted VBS and PowerShell—especially from user-writable locations—and by enforcing application control policies for scripting engines. Monitor for the campaign’s known filenames and hashes, and prioritize alerting for script-driven execution chains that transition into injector behavior. At the network layer, restrict outbound TLS connectivity to the identified IP addresses and add detections for suspicious beaconing patterns. On endpoints, watch for creation of the referenced mutexes and for code-injection activity targeting AddInProcess32.exe.
Response
If indicators are detected, immediately isolate the affected host, capture volatile evidence (including running processes and network connections), and preserve relevant artifacts for analysis. Perform focused forensics on the TEMP directory and %ALLUSERSPROFILE%\remcos to identify droppers, configuration data, and keylogging output. Remove malicious files, stop and remediate the injected AddInProcess32.exe process, and rotate potentially exposed credentials. Finally, update SIEM/EDR content with extracted IOCs and hunt across the environment for matching filenames, mutexes, and TLS destination indicators.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#cccccc %% Nodes action_initial_access["<b>Action</b> – <b>T1204.002 User Execution</b>: Victims download malicious executables masquerading as VeraCrypt installers or gambling blocklist lookup tools."] class action_initial_access action tool_malicious_installer["<b>Tool</b> – <b>Name</b>: Fake VeraCrypt Installer<br/><b>Description</b>: Executable disguised to entice user execution."] class tool_malicious_installer tool action_execution_vbs["<b>Action</b> – <b>T1059.005 Visual Basic</b>: VBS scripts written to %TEMP% and executed."] class action_execution_vbs action tool_vbs_script["<b>Tool</b> – <b>Name</b>: VBS Script<br/><b>Location</b>: %TEMP%"] class tool_vbs_script tool action_execution_powershell["<b>Action</b> – <b>T1059.001 PowerShell</b>: PowerShell downloader scripts retrieve additional payloads."] class action_execution_powershell action tool_ps_downloader["<b>Tool</b> – <b>Name</b>: PowerShell Downloader<br/><b>Function</b>: Retrieves payloads from remote server."] class tool_ps_downloader tool action_obfuscation["<b>Action</b> – Obfuscation Techniques: Base64 encoding, junk code, polymorphic sections, dynamic API resolution (T1027.008, T1027.014, T1027.016, T1027.007)."] class action_obfuscation action action_defense_evasion["<b>Action</b> – <b>T1055 Process Injection</b>: .NET injector injects Remcos RAT into trusted process AddInProcess32.exe."] class action_defense_evasion action tool_dotnet_injector["<b>Tool</b> – <b>Name</b>: .NET Injector<br/><b>Purpose</b>: Injects malicious code into other processes."] class tool_dotnet_injector tool process_addinprocess["<b>Process</b> – <b>Name</b>: AddInProcess32.exe<br/><b>Legitimacy</b>: Trusted Microsoft Office process."] class process_addinprocess process malware_remcos["<b>Malware</b> – <b>Name</b>: Remcos RAT<br/><b>Capabilities</b>: Remote control, credential harvesting, keylogging, media capture."] class malware_remcos malware action_browser_cred["<b>Action</b> – <b>T1555.003 Credentials In Browsers</b>: Harvests saved browser credentials."] class action_browser_cred action action_keylogging["<b>Action</b> – <b>T1056.001 Keylogging</b>: Captures keystrokes."] class action_keylogging action action_collection["<b>Action</b> – Collection of user data via screen, audio, and video."] class action_collection action action_screenshot["<b>Action</b> – <b>T1113 Screen Capture</b>: Captures screenshots."] class action_screenshot action action_audio["<b>Action</b> – <b>T1123 Audio Capture</b>: Records microphone audio."] class action_audio action action_video["<b>Action</b> – <b>T1125 Video Capture</b>: Captures webcam video."] class action_video action action_c2["<b>Action</b> – <b>T1071.001 Web Protocols</b>: TLS web communication and Discord webhook usage."] class action_c2 action tool_discord_webhook["<b>Tool</b> – <b>Name</b>: Discord Webhook<br/><b>Use</b>: Logging and exfiltration channel."] class tool_discord_webhook tool action_exfiltration["<b>Action</b> – <b>T1567.004 Exfiltration Over Web Services</b>: Data sent to attacker via Discord webhook."] class action_exfiltration action %% Connections action_initial_access –>|uses| tool_malicious_installer tool_malicious_installer –>|delivers| action_execution_vbs action_execution_vbs –>|writes_and_executes| tool_vbs_script action_execution_vbs –>|triggers| action_execution_powershell tool_ps_downloader –>|downloads_payloads| action_obfuscation action_obfuscation –>|enables| action_defense_evasion action_defense_evasion –>|injects| tool_dotnet_injector tool_dotnet_injector –>|targets| process_addinprocess process_addinprocess –>|hosts| malware_remcos malware_remcos –>|harvests| action_browser_cred malware_remcos –>|records| action_keylogging malware_remcos –>|captures| action_collection action_collection –>|screenshots| action_screenshot action_collection –>|audio| action_audio action_collection –>|video| action_video malware_remcos –>|communicates| action_c2 action_c2 –>|uses| tool_discord_webhook action_c2 –>|sends_data| action_exfiltration action_exfiltration –>|via| tool_discord_webhook "
Attack Flow
Detections
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Remcos RAT Patterns (via registry_event)
View
Suspicious Powershell Strings (via cmdline)
View
Image File Was Created By Suspicious Process (via file_event)
View
Possible Abuse Discord as a C2 Channel (via proxy)
View
Suspicious Extracted Files from an Archive (via file_event)
View
Suspicious Powershell Strings (via powershell)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Probable Use of Windows Hacktools [Part3] (via file_event)
View
Unusual Top Level Domain In Commandline (via cmdline)
View
Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)
View
Suspicious Process Utilizes a URL in the Command Line (via cmdline)
View
IOCs (HashMd5) to detect: Remcos RAT Being Distributed to Korean Users
View
IOCs (DestinationIP) to detect: Remcos RAT Being Distributed to Korean Users
View
IOCs (SourceIP) to detect: Remcos RAT Being Distributed to Korean Users
View
Remcos RAT Distribution via Masquerade as Blocklist Lookup Tool [Windows File Event]
View
Remcos RAT C&C Server Communication Detection [Windows Network Connection]
View
Remcos RAT Injection into AddInProcess32.exe [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Attack Narrative & Commands
- Ingress (T1105): The attacker hosts a malicious usercon.exe (Remcos RAT) on a C2 server disguised as a “blocklist‑lookup” utility.
- Download: The victim clicks a link and the file is saved to
%USERPROFILE%DownloadsProgramsusercon.exe. - Execution (T1059): The attacker leverages a PowerShell one‑liner to silently launch the payload from the download path, evading user interaction.
- Post‑execution: The RAT establishes outbound C2 over HTTP (T1071) and creates persistence via registry autorun (T1547) – these later stages are outside the scope of the current rule but illustrate the full kill‑chain.
Regression Test Script
# ---------------------------------------------------------
# Remcos RAT simulation – triggers the Sigma rule
# ---------------------------------------------------------
# 1. Define the malicious payload path (matches rule)
$maliciousPath = "$env:USERPROFILEDownloadsProgramsusercon.exe"
# 2. Create a dummy executable payload (PE header only – safe for testing)
Set-Content -Path $maliciousPath -Value ([Byte[]]@(0x4D,0x5A,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xFF,0xFF,0x00,0x00,0xB8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)) -Encoding Byte
# 3. Execute the payload silently (simulating attacker’s command‑line launch)
Start-Process -FilePath $maliciousPath -WindowStyle Hidden -PassThru
# 4. Optional: emit a fake network connection to illustrate later stages
# (not required for triggering the Sigma rule)
# Invoke-WebRequest -Uri "http://malicious.c2.example.com/ping" -UseBasicParsing
Write-Host "Simulation executed – check SIEM for rule trigger."Cleanup Commands
# ---------------------------------------------------------
# Remove artifacts produced by the simulation
# ---------------------------------------------------------
$maliciousPath = "$env:USERPROFILEDownloadsProgramsusercon.exe"
if (Test-Path $maliciousPath) {
Remove-Item -Path $maliciousPath -Force
Write-Host "Removed $maliciousPath"
} else {
Write-Host "No artifact found at $maliciousPath"
}