GoTo Meeting loads RAT via Shellcode Loader

216.73.216.6

GoTo Meeting loads RAT via Shellcode Loader

· Published 13/05/2024 09:47 · Modified 13/05/2024 10:00

Essential information

Published: 13/05/2024 09:47
Modified: 13/05/2024 10:00
Tags: 2024-05-08 2024-05-09 2024-05-10 2024-05-13 dll sideloading rat remcos rust shellcode
Related entities: 17 observables, 10 techniques (mitre), 1 malware

Description

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It employs techniques such as LNK file execution chains, DLL sideloading, and Rust-written shellcode loaders to decrypt and execute the Remcos RAT payload. The campaign targets various groups, including those interested in pornographic content, software installations, and tax-related documents.

External references

https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos
https://otx.alienvault.com/pulse/6641e1c7247ccb73e77646bb