Reading view
South Korean Researchers Observe Remcos RAT Distributed Through Fake Shipping Lures
Use of UUEncoding (UUE) Files to Distribute Remcos RAT Malware
Researchers from AhnLab discovered that the threat actors behind the campaign, use UUEncoding files with a .UUE extension, which are designed to encode binary data in plain text format. These file formats are suitable for attachment in e-mail or Usenet messages. The malicious .UUE files encode a VBS script attached in phishing emails. The threat actors seem to have leveraged the file format and encoding technique as an attempt to bypass detection. [caption id="attachment_76665" align="alignnone" width="1024"]![AhnLab Remcos RAT UUEncoding (UUE) .UUE](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-1.webp)
![](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-2.webp)
Remcos RAT malware
The Remcos RAT collects system information from infected systems and stores keylogging data in the %AppData% directory. The malware then sends this data to the remote command-and-control (C&C) server, which is hosted through a DuckDNS domain. [caption id="attachment_76667" align="alignnone" width="894"]![AhnLab Remcos RAT UUEncoding (UUE) .UUE 3](https://thecyberexpress.com/wp-content/uploads/AhnLab-Remcos-RAT-UUEncoding-UUE-.UUE-3.webp)
- b066e5f4a0f2809924becfffa62ddd3b (Invoice_order_new.uue)
- 7e6ca4b3c4d1158f5e92f55fa9742601 (Invoice_order_new.vbs)
- fd14369743f0ccd3feaacca94d29a2b1 (Talehmmedes.txt)
- eaec85388bfaa2cffbfeae5a497124f0 (mtzDpHLetMLypaaA173.bin)
- Downloader/VBS.Agent (2024.05.17.01)
- Data/BIN.Encoded (2024.05.24.00)
- frabyst44habvous1.duckdns[.]org:2980:0
- frabyst44habvous1.duckdns[.]org:2981:1
- frabyst44habvous2.duckdns[.]org:2980:0
- Refrain from accessing emails from unknown sources.
- Refrain from running or enabling macro commands when accessing downloaded attachment files. Users can set programs to highest levels of security, as lower levels may automatically execute macro commands without displaying any notification.
- Β Update anti-malware engines to their latest versions.
Breaking Down the New China-Linked Remote Access Trojan ValleyRAT Variant
ValleyRAT and the Intricate Attack Chain
[caption id="attachment_76569" align="alignnone" width="1080"]![ValleyRAT infection chain](https://thecyberexpress.com/wp-content/uploads/ValleyRAT-infection-chain.webp)
Evolution of ValleyRAT
The latest variant of ValleyRAT boasts significant enhancements. From refined device fingerprinting capabilities to revamped bot ID generation processes, the malware is more adept at blending into its environment and evading detection. Moreover, the introduction of new commands expands its arsenal, empowering threat actors with greater control over infected systems. Mitigating ValleyRAT's threat requires a multi-faceted approach. Leveraging advanced threat detection mechanisms like Zscaler Cloud Sandbox is essential. Additionally, staying vigilant and leveraging threat intelligence to identify and thwart emerging threats is paramount in safeguarding against ValleyRAT's onslaught. As ValleyRAT continues to evolve, so must our defenses. With each iteration, online threats becomes moreΒ complex, necessitating proactive measures to counter emerging threats effectively. By staying informed and leveraging cutting-edge cybersecurity solutions, organizations can fortify their defenses and mitigate the risks posed by ValleyRAT and similar threats.A week in security (April 1 β April 7)
A list of topics we covered in the week of April 1 to April 7 of 2024
Last week on Malwarebytes Labs:
- 60% of small businesses are concerned about cybersecurity threats
- Cookie consent choices are just being ignored by some websites
- Bing ad for NordVPN leads to SecTopRAT
- Jackson County hit by ransomware, declares state of emergency
- Google patches critical vulnerability for Androids with Qualcomm chips
- Google Chrome gets βDevice Bound Session Credentialsβ to stop cookie theft
- AT&T confirms 73 million people affected by data breach
- Trusted Advisor now available for Mac, iOS, and Android
- 2024 State of Malware in Education report: Top 6 cyberthreats facing K-12 and Higher Ed
- Free VPN apps turn Android phones into criminal proxies
Stay safe!
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.