The VBScript Main Remcos Loader Detection Evasion The full VBScript loader may be found here. Paste.ee offers multiple options to automatically take down code between hours up to a year. STRT has witnessed the script stay online up to a few weeks between major campaign changes. Below is the screenshot of the initial downloader script. The script on paste.ee is the main loader of Remcos. This Remcos sample loader starts with a simple VBScript that attempts to download the second VBScript from paste.ee. Ultimately STRT covers what Splunk Security Content detections find behaviors and TTPs that apply to the DynamicWrapperX Loader. In this blog, Splunk Threat Research (STRT) will discuss a Remcos loader that utilizes DynamicWrapperX (dynwrapx.dll) to execute shellcode and inject Remcos RAT into the target process. These scripts are easy to obfuscate and encrypt in order to bypass detection and preventative controls, therefore many adversaries use this methodology. The most prevalent loaders seen in the wild are window scripting languages, JScript (.js), and VBScript (.vbs). This particular sample makes the detection and analysis of the adversary behavior more challenging. The very well-known initial stager is the “phishing email” that contains a malicious macro code or malicious URL link that will download either the actual loader or the next stager to download the actual payload. Nowadays, malware used to have several stages before it fully compromised the targeted host or machine.
0 kommentar(er)
