CTI Roundup: Windows HTML Malware, Remcos RAT, & Black Basta Ransomware

In this week’s roundup, CTI analyzes a sophisticated malware campaign that deploys malware using the Windows search functionality embedded within HTML code. Next, CTI looks into the Remcos RAT downloader, which is being distributed via compressed UUE files. Finally, CTI investigates whether a Black Basta ransomware operation exploited a Windows privilege escalation vulnerability.

1. Malware leverages Windows search functionality in HTML

A sophisticated malware campaign is leveraging the Windows search functionality within HTML code to deploy malware.

According to Trustwave, the actor behind the campaign appears to have a mature understanding of system vulnerabilities and user behaviors, enabling them to conduct a more advanced phishing campaign.

This campaign starts with a phishing email that includes an HTML attachment. The HTML file is enclosed within a ZIP archive to evade more traditional email security scanners.

Trustwave notes that this has been a low-volume campaign so far, with researchers observing only a few instances in the wild.

The HTML attachment

The HTML attachment appears simple at first but is crafted to launch a sophisticated attack.

When the victim opens the file, it will abuse standard web protocols to exploit Windows system functions. The code contains an attribute that instructs the browser to reload the page and redirect to a new URL. The code also contains a specified delay, which in most cases is set to zero so that the redirection occurs instantly.

The HTML also includes an anchor tag that serves as a fallback mechanism. If the refresh fails to execute, the user can still click on a link to manually invoke the rest of the chain.

Exploiting the search protocol

Once the HTML loads, the browser will typically prompt the user to allow the search action.

There are security measures to prevent unauthorized commands from executing certain harmful operations without the user’s consent. In this case, the redirection URL leverages the “search:” protocol, which allows an application to interact with Windows Explorer’s search function.

After the user clicks to allow the search action, the function will obtain multiple files from a remote server — only one of which will appear in the search results. This file is an LNK file that points to a batch script on the same server that triggers additional malicious operations. Researchers were not able to obtain this batch script.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This attack requires interaction from victims, which will hopefully limit its success. 

One thing to note about this attack is that it uses a delayed start of zero, meaning that the page will redirect immediately and not give the user much time to react. This attribute could be altered in the future for delayed redirections.

2. Remcos RAT spreads via UUE files

The Remcos RAT downloader is being distributed via UUE files that are compressed with Power Archiver. The malware, which continues to be delivered through phishing emails, is now attaching malicious UUE files to an invoice-themed lure.

About the UUE method

The actor is finding new ways to distribute a VBS script, now encoding the script with the UUE attachment.

UUE is short for Unix-to-Unix encoding and is used to share data between Unix systems. A typical UUE file will have a header, encoded data, and an end.

The threat actor uses UUE to bypass detection. An obfuscated VBS script is revealed once the actor’s file is decoded.

The downloader

The resulting VBS script saves a PowerShell script into the Temp directory and calls it “Talehmmedes.txt”

This script is executed and will reach out to download “Haartoppens.eft” and run an additional PowerShell script. This obfuscated PowerShell script is primarily used to load a shell code into the wab.exe process. The loaded shellcode establishes persistence by adding a registry and will ultimately execute Remcos RAT.

The Remcos RAT malware itself does not appear to have any major changes made to it. It continues to collect system information, saving it in the %Appdata& directory for exfiltration to its C2 server.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This actor seems to be putting more time and effort into looking for new delivery mechanisms than updating the actual malware.  

This approach is smart in that the actor may initially make it into the network undetected. However, with no changes made to the malware itself, it is more likely to be caught by defenders, especially those that have detections in place for known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). 

That said, this research is still interesting as it highlights UUE files as new delivery mechanisms.

3. Black Basta exploits a Windows privilege escalation vulnerability

Researchers believe that the Black Basta ransomware operation may have exploited a Windows privilege escalation vulnerability tracked as CVE-2024-26169.

This flaw, which has a high severity rating, was potentially exploited as a zero-day prior to a patch that was made available in Microsoft’s March patch Tuesday update.

What is CVE-2024-26169?

CVE-2024-26169 is an elevation of a privilege bug in the Windows Error Reporting Service. When an actor exploits this vulnerability, they can elevate their privileges to SYSTEM.

CVE-2024-26169 has a high CVSS score of 7.8, which indicates that the vulnerability is serious.

Exploitation

New research indicates that the Cardinal cybercrime group (also known as Storm-1811, UNC4393, and the operators of the Black Basta ransomware) may have exploited the Windows vulnerability.

The original reporting of the vulnerability stated there was no evidence of exploitation in the wild. However, analysis of an exploit tool used in recent attacks reveals that it could have been compiled prior to the patch, meaning the vulnerability could have been exploited as a zero-day.

Black Basta links

Symantec analyzed an exploit tool recently used in an attempted ransomware attack. While the attack was ultimately unsuccessful, researchers were able to link it to the Black Basta operation because of the TTPs used in the attack.

Exploit tool

According to Symantec, the exploit tool “takes advantage of the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys.”

The tool will create a registry key and set the “debugger” value to its own executable path name. By doing so, the exploit can execute a shell with administrative privileges.

The first variant of the tool in the attack has a compilation timestamp of February 27, 2024, several weeks before a patch was released. An additional variant of the tool was discovered on Virus Total with a compilation timestamp of December 18, 2023.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The Black Basta ransomware operation has been abusing legitimate Microsoft products in recent months, such as Quick Assist and Teams. Considering this, it makes sense that the actor may have attempted to exploit a zero-day in another Microsoft product prior to this activity. The exploit tool analyzed by Symantec was said to have been used in an unsuccessful attack, which we don’t see a lot of from this prolific group.  

Black Basta has historically pivoted TTPs rather quickly, making this failed attempt likely just one of many to come.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.