Malware distribution efforts that use HTML smuggling techniques and typo-squatted sites to deploy remote access trojans (RATs) are increasingly targeting African banks. Cybercriminals looking for fast cash are a constant source of concern for African banks, who have resorted to strict gateway security restrictions.
As a result, threat actors have had to devise more ingenious attacks to get beyond security measures, and in 2022, bank-targeting campaigns have been spotted employing various techniques. HP Wolf Security found one of the 2022 campaigns after researching the adversary’s tactics and infection procedures.
A phishing email is sent to a bank employee from a typo-squatted site that looks like the URL of a genuine organization, usually a competing bank. The email includes a link to the site’s details and a lucrative employment offer for the addressee. After clicking on that link, the victim is sent to a web page with application instructions.
The information on this page is taken directly from a genuine listing by the imitated bank, making the data look surprisingly legitimate. As these sites don’t engage in phishing or host malware, their main aim is to lead the user down the path of infection.
The payload is a base64-encoded ISO archive file decoded on the fly and offered for download through a JavaScript blob on the browser, which is an HTML attachment on the said email message. This method of slipping dangerous file types past email security programs without raising warnings is known as HTML smuggling, and it’s a well-known and popular payload distribution method.
A Visual Basic Script (VBS) file is included in the ISO package. When double-clicked, it creates a new Registry key and runs PowerShell instructions that access several Windows API methods. GuLoader is constructed on the system and executed to download and launch the RemcosRAT malware after a series of malicious code executions and Windows API exploitation.
According to HP’s security experts, GuLoader has two download URLs in its settings, one going to Dropbox and the other to OneDrive, so there’s some redundancy in place at this stage. It’s also worth noting that GuLoader operates on the system RAM and is executed via PowerShell placed in the registry so that most anti-virus software won’t notice it.
HP finds out that the only method to break the infection chain is to change the default application for script files from Windows Script Host to Notepad, which would disclose the VBS file’s true identity. Remcos is a genuine commercial remote access tool (RAT) that has been exploited for harmful purposes by hackers for numerous years.
It’s a sophisticated tool that allows running commands remotely, capturing screenshots, logging keystrokes, recording camera and microphone audio, and more. Threat actors might use Remcos to sniff transaction details, acquire necessary credentials, migrate laterally in the bank’s network, or steal data for BEC attacks.
Financial extortion through data exfiltration or ransomware deployment is also a possibility, and threat actors may always sell their network access to other hackers to earn quick cash without attracting the attention of law authorities.
