GST Debit Note Phishing Delivers Remcos RAT via Multi-Stage Loader

Key Takeaways

• A new phishing campaign is targeting Indian users with emails disguised as official GST debit notes.
• The attack deploys the Remcos Remote Access Trojan (RAT) through a sophisticated multi-stage, memory-resident loader.
• The infection chain is highly evasive, executing almost entirely in memory to bypass traditional security defenses and leave minimal forensic traces.
• The threat actor’s infrastructure is also distributing other potent malware, including Agent Tesla, Formbook, and various keyloggers, indicating a “loader-as-a-service” model.
• The campaign is ongoing and poses a significant threat to individuals and businesses in India.

A sophisticated phishing campaign is actively targeting users in India, leveraging a deceptive tactic that camouflages potent malware as official Goods and Services Tax (GST) debit notes. This attack, meticulously analyzed by K7 Security Labs, delivers the formidable Remcos Remote Access Trojan (RAT) via a multi-stage loader engineered for maximum stealth and persistence. A particularly concerning aspect of this operation is its heavy reliance on in-memory execution, a technique that leaves minimal forensic evidence and renders detection exceptionally challenging for conventional security tools.

The Initial Infection Vector

The attack sequence begins with a phishing email containing a malicious archived attachment. When a victim extracts this archive, a file named “GST Debit Note Apr_26.com” is dropped. This file is a 32-bit .NET executable, heavily packed and unsigned. It subtly incorporates Turkish language artifacts and attempts to appear innocuous by mimicking a brick-building game, running silently in the background to avoid user suspicion.

Analysts at K7 Security Labs identified this campaign during routine telemetry monitoring, noting an unusual detection linked to the suspicious file. Their subsequent research confirmed that the payload is a variant of the Remcos RAT family, delivered through this email phishing scheme. The researchers specifically highlighted that the entire infection process leverages in-memory execution, a technique that significantly complicates detection compared to malware that writes components to disk.

Multi-Stage, Memory-Resident Loader

The malware’s architecture is meticulously layered to evade detection. It employs steganography, embedding its subsequent stage components within resource sections of the initial executable. This is achieved by hiding payload data within a serialized .NET Bitmap object, a method that effectively obscures the malicious content and thwarts accurate static analysis.

The first component extracted is a DLL named Optimax.dll, which is loaded directly into memory without ever touching the disk. This DLL then triggers a second-stage loader, “System Optimizer Ultimate.dll,” which subsequently delivers the final Remcos RAT payload—also entirely within memory. Remcos then employs process hollowing, injecting itself into a legitimate process, typically the victim’s default browser, to blend seamlessly with normal system operations and further evade detection.

Persistence, Data Theft, and Command-and-Control

Upon successful execution, Remcos RAT establishes a robust foothold on the compromised system. It creates a hidden copy of itself within the AppData Roaming folder under a randomized name and modifies a Run registry key to ensure automatic execution at every system login. The creation of a mutex named “Remcos_Mutex_Inj” during its operation serves as a clear indicator of the RAT’s active presence.

Before proceeding with its malicious activities, Remcos performs checks for sandbox and virtual machine environments. It then bypasses User Account Control (UAC) using eventviewer.exe. The RAT continuously monitors the active window, logs title changes, and tracks user idle time. Furthermore, it records audio and webcam feeds, steals stored credentials and cookies from popular browsers like Chrome and Firefox, and saves all collected data into a file named logs.dat.

This stolen information is then covertly exfiltrated to a remote command-and-control (C2) server located at 62.102.148.212. The specific filenames used in the payloads, referencing terms like “NEFT,” “RTGS,” “IMPS,” and “GST,” strongly indicate that this campaign is specifically tailored to target individuals and businesses within India.

Further investigation by K7 Security Labs revealed that the same underlying infrastructure used for this Remcos campaign is also distributing a diverse array of other potent malware, including Agent Tesla, Phantom Stealer, Dark Cloud, Red Line Stealer, MassLogger variants, Formbook, xworm, and Snake keyloggers. This suggests a “loader-as-a-service” model, where the consistent delivery mechanism is used to deploy various final payloads. The broad scope of this operation underscores its serious and ongoing threat to the region.

What You Should Do

• Exercise Extreme Caution with Emails: Treat all unexpected email attachments with suspicion, especially those claiming to be official documents like GST debit notes. Verify the sender’s identity through an alternative, trusted communication channel before opening any attachments.
• Keep Security Software Updated: Ensure your antivirus and anti-malware solutions are always running the latest definitions and are configured for real-time protection.
• Implement Email Filtering: Utilize robust email security solutions that can detect and block malicious attachments and phishing attempts before they reach end-users.
• Educate Users: Conduct regular cybersecurity awareness training to help employees recognize phishing attempts and understand the risks associated with opening unsolicited attachments.
• Monitor for In-Memory Threats: Deploy advanced endpoint detection and response (EDR) solutions capable of detecting and mitigating memory-resident malware and process hollowing techniques.
• Backup Data Regularly: Maintain frequent backups of critical data to minimize the impact of a potential malware infection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.