FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs “RedInk”, using the RegAsm.exe LOLBIN for execution and sandbox Evasion. The attack is carried out in three stages, in which the final stage, acting as both Remote Access Trojan (RAT) and botnet component, is installed on the victim’s machine. What is this Significant?This is significant because FortiGuard Labs observed widespread distribution of Redlnk malware in an ongoing campaign. The final payload observed is a Remote Access Trojan (RAT) that enables a remote attacker to take control of the victim’s machine.How Widespread is the Campaign?We have observed more than 3,600 unique samples of the first stage, with new samples being constantly served to evade detection from security solutions. FortiGuard Labs observed Redlnk malware distributed to Canada, Australia, the UK, and Japan. How does the Attack Work?While the initial infection vector has not been found, FortiGuard Labs observed the first stage malware were downloaded from the internet.The campaign’s first stage is a 6 KB small .NET loader, manipulated to be able to run properly only using Regasm.exe. Some of the samples of the first stage found (from 3600 in total) hide part of the crucial malicious logic inside the metadata of the file: By using this way, the base64 encoded data isn’t part of the .NET strings of the file and enables the attacker to partially evade detection.The aforementioned samples are compiling the following code at runtime (decoded from the “AssemblyDescription” base64) in order to download the next payload: The next stage we observed, called “loader.dll” by the attackers, is mainly used to kill the previous stage and load the next stage, encrypted, using a randomly generated AES key, from the server. The third stage, called “client.core” is a fully fledged malicious toolkit, functioning as both RAT and botnet component, able to install VNC on the victim to enable remote control of the computer by the attacker. Why Can only Regasm.exe Run the Redlnk Malware?RedInk doesn’t have a standard DLL entry point, but rather a “ComUnregisterFunction”, which rundll does not call, but RegAsm (T1218.009) does. This technique is useful both for sandbox evasion (T1497) and to bypass application control (UAC – T1548.002). What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware samples used in the campaign:• MSIL/Cerbu.CA89!tr• MSIL/Dropper.E5B0!tr• MSIL/GenericKDZ.5CA8!tr• MSIL/Tedy.1448!tr• W32/Dloader.X!tr• W32/PossibleThreat• MSIL/Asbit.C!trAll network IOCs associated with this attack are blocked by the WebFiltering client.FortiEDR blocks the first stage of RedInk upon the initiation of a network connection: FortiEDR Threat Hunting customers can additionally query for it using the following query:Source.Process.Name:Regasm.exe AND Source.Process.CommandLine:*.txt*
More Stories
openjpeg2-2.5.3-1.fc40
FEDORA-2024-272544ceb9 Packages in this update: openjpeg2-2.5.3-1.fc40 Update description: Update to openjpeg-2.5.3 Fix 2 heap-buffer-overflow Read More
libxml2-2.12.9-1.fc40
FEDORA-2024-9f3765a04b Packages in this update: libxml2-2.12.9-1.fc40 Update description: Update to 2.12.9 Fixes CVE-2024-40896 Read More
libxml2-2.12.9-1.fc41
FEDORA-2024-867a14de12 Packages in this update: libxml2-2.12.9-1.fc41 Update description: Update to 2.12.9 Fixes CVE-2024-40896. Read More
iwd-3.3-1.fc40 libell-0.71-1.fc40
FEDORA-2024-0fa283c43a Packages in this update: iwd-3.3-1.fc40 libell-0.71-1.fc40 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
iwd-3.3-1.fc41 libell-0.71-1.fc41
FEDORA-2024-256818da09 Packages in this update: iwd-3.3-1.fc41 libell-0.71-1.fc41 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
A vulnerability has been discovered in Apache Struts2, which could allow for remote code execution. Apache Struts2 is an open-source...