GoTo Meeting Loads Remcos RAT via Rust Shellcode Loader

There has been a notable rise in cyber threats exploiting legitimate software platforms to propagate malicious payloads. Among these threats is the Remcos RAT, a sophisticated remote access tool favored by cybercriminals. Cyber attackers have leveraged trusted applications like GoTo Meeting to facilitate the deployment of the Remcos RAT, employing advanced techniques to evade detection and compromise systems. Malicious actors have ingeniously exploited social engineering tactics, including the distribution of seemingly benign files such as software setups and tax-related documents in multiple languages to deceive unsuspecting users into executing malicious payloads.

One advanced technique is the LNK execution chain. This method involves the use of a malicious shortcut file masquerading as an amiable PDF file to trigger the execution of a modified GoTo Meeting executable named winsys[.]odt, appended with an ".exe" extension. While appearing legitimate, this file harbors malicious code that redirects execution flow to load a malicious Dynamic Link Library named g2m[.]dll. Crafted in Rust, this DLL employs sophisticated evasion tactics, including DLL sideloading, to circumvent traditional security measures. It utilizes shellcode and encrypted payload data to orchestrate the deployment of the Remcos RAT, enabling unauthorized remote access to compromised systems.

Security Officer Comments:

Furthermore, cybercriminals have implemented a JS infection chain to propagate the Remcos RAT. This chain initiates with a JScript file that triggers a sequence of downloads culminating in the execution of the aforementioned malware chain. These downloads often fetch obfuscated PowerShell scripts and encrypted payloads from remote servers controlled by threat actors, showcasing the intricacy of the attack vector.

Suggested Corrections:

  • Implement robust endpoint security solutions that include advanced threat detection and prevention mechanisms to identify and block malicious activities associated with RATs like Remcos.
  • Use reputable antivirus and anti-malware software that can detect and remove RAT payloads. Keep operating systems, applications, and security software up to date to address known vulnerabilities that threat actors often exploit.
  • Implement network segmentation to limit lateral movement within the network. This can help contain the spread of malware and prevent it from accessing critical assets.
  • Train employees to recognize social engineering tactics used by threat actors to trick them into executing malicious files.
  • Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with RAT command and control servers.
  • Implement behaviour-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
  • Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
  • Monitor network traffic for anomalous patterns, such as large data transfers to unfamiliar or suspicious IP addresses.
  • Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
  • Stay updated on the latest threat intelligence reports and indicators of compromise related to Remcos and similar RATs to proactively identify potential threats. Maintain regular backups of critical data and systems to minimize the impact of ransomware attacks or data loss due to malware infections. Follow the principle of least privilege (PoLP) by restricting user permissions to only those required for their roles. This can limit the impact of malware that relies on elevated privileges.