SBA Spoofed in COVID-19 Spam to Deliver Remcos RAT

April 27, 2020
| |
5 min read

Between late March and mid-April 2020, IBM X-Force Incident Response and Intelligence Services (IRIS) uncovered a phishing campaign targeting small businesses that appears to originate from the U.S. Government Small Business Administration (SBA.gov). The emails, which contain subjects and attachments related to the need for small businesses to apply for disaster relief loans or provide application status following the impact of the ongoing COVID-19 pandemic, ultimately deliver malware to those who open the attachments. These emails may coincide with a notification from the SBA regarding some small business loan applicants who potentially had their personally identifiable information (PII) exposed, possibly being used by cybercriminals to compose target lists.

On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The U.S. SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid.

Booby-Trapped Emails Deliver Concealed Payloads

The SBA-spoofing spam activity we analyzed includes several emails sent from late March to mid-April 2020. All emails contained multi-stage execution, starting with the GuLoader downloader to deliver the remote-access tool, Remcos RAT.

GuLoader is a malicious downloader that has been used extensively between 2019 and 2020 to deliver a variety of malware. Written in Visual Basic, this code’s main functionality is contained within encrypted shellcode that it decrypts and executes. In the cases we examined, the shellcode downloaded the encrypted payload from a hardcoded Google Drive URL and then decrypted and loaded it into a running instance of itself via process injection.

The downloaded binaries we examined are XOR decrypted using a hardcoded key extracted from the GuLoader. IRIS identified the downloaded binary as the credential-stealing malware Remcos RAT, version 2.5.0 Pro. In some of the GuLoader samples we analyzed, we found that the shellcode will download the encrypted payload from the URL hxxps[:]//cqjcc[.]org/builf2_encrypted_96DB6DF.bin, which is the same payload hosted on the Google Drive URLs.

A closer look at the Remcos RAT samples we found show that each binary stores its configuration as an RC4-encrypted resource named “SETTINGS”. The configuration can be extracted and decrypted using a script created by Cisco Talos. The Remcos RAT samples we decrypted contain several abilities, including the following:

  • File management
  • Keylogging
  • Screen grabbing
  • Command execution
  • C&C communication
  • Webcam and microphone access
  • Browser history and password scraping

Remcos RAT is a surveillance tool that poses as legitimate software and has previously been observed being used in global hacking campaigns. The access tool is described as a legal IT management software, but it has historically allowed malicious users to deliver malware discretely in order to surveil a targeted system.

Disaster Relief Email Samples Spoofing the SBA

The following sections give more specific information on the emails we found to be spoofing messages from the SBA, and the characteristics of the attachments they contained.

On March 23, 2020, an email was sent with the subject line, “Small Business Grant/Testing Centre Vouchers,” appearing to confirm that the status of an application was complete. The email instructs the recipient to sign and upload the attachment SBA_Disaster_Application_Confirmation_Document.img to the SBA website.

From the email sent on March 23, IRIS was able to find at least seven additional emails containing similar structure, subjects and lures. On April 2, 2020, two emails were sent to small businesses with the subject line “EXTERN: SBA Grant/Testing Centre Vouchers.” On April 6 and April 7, a total of three emails were sent to small businesses with the subject line “SBA Grant Application Status.”

Finally, an email was sent on April 16 with the subject line “SBA Grant/Testing Centre Vouchers.” All six emails contained the same content, confirming that the recipient’s submitted application was complete and instructing them to sign the attached, completed request for Transcript of Tax Return IRS form 4506-T. In addition, vouchers (disk image files) were also attached, with names such as:

  • SBA_Disaster_Application_Confirmation_Documents_COV_Relief_doc.img
  • SBA_Disaster_Application_Confirmation_Documents_COV_Relief_docs.img
  • SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img.img


On April 15, 2020, an eighth email was sent to a small business with the subject line “SBA Payroll Protection Program Status” and a different disk image file, SBA_Payroll_Protection_Application_Documents_Prom_Note_Benefi.exe.img, attached. The contents of this email informed the recipient that documents for the Paycheck Protection Program needed to be downloaded, signed and uploaded to the SBA portal.

At first glance, the emails appear to be sent from the email [email protected], but they are written with poor grammar and spelling. Examination of one of the emails’ headers revealed the return path to be that of a legitimate company’s German domain, which was likely compromised to send out this type of spam.

Examining the email attachments, IRIS found that they are Universal Disk Format (UDF) image files containing the malicious executable files that ultimately deliver the credential-stealing Remcos RAT.

GuLoader in Disk Image Files

The facilitator that downloads the delivered Remcos RAT in the samples we analyzed is the downloader GuLoader. We found that the .img UDF files, when decompressed, are GuLoader executables. When the user double clicks on the UDF attachment, it is mounted and presented in explorer as if it were a CD or disk. The enclosed executable then uses a PDF icon, so the user thinks they’re opening a PDF, but it’s actually a GuLoader executable. All GuLoader samples that we analyzed are UDF filesystem version 1.5 with a drive name of either SBA_Gov_CD or ADOBE_CD, and were extracted with the following file names:

  • SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
  • SBA_Disaster_Application_Confirmation_Documents_COV_Relief_doc.exe
  • SBA_Disaster_Application_Confirmation_Documents_COV_Relief_docs.exe
  • SBA_Payroll_Protection_Application_Documents_Prom_Note_Benefi.exe
  • SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe
  • SBA_Disaster_Application_Confirmationfdp.exe

The GuLoader files persist on infected devices by copying themselves to a sub-folder of the %USERPROFILE% directory. GuLoader will then generate a VB script file in the same folder with the functionality to execute the binary and then add this VBS file to the RunOnce registry key. For example, one of the analyzed GuLoader samples we saw copies itself to %USERPROFILE%\UNNAILEDFULF\Brystbenene6.exe. It then generated the VBS file C:\Users\[username]\UNNAILEDFULF\Brystbenene6.vbs, which contained the following code:

Set W = CreateObject(“WScript.Shell”)

Set C = W.Exec (“C:\Users\reuser\UNNAILEDFULF\Brystbenene6.exe”)

This VBS file is then added to the RunOnce registry key:

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

Key: “UNPRONOUNC”

Value: “%USERPROFILE%\UNNAILEDFULF\Brystbenene6.vbs”

Note that the file paths and registry key names differ per sample.

The secondary payload was a binary of the Remcos RAT, paid version 2.5.0 Pro.

Malicious COVID-19-Themed Activity Continues to Rise

X-Force IRIS is following the continually rising scale of malicious activity riding the COVID-19 pandemic trend. Our team maintains ongoing updates on the subject on X-Force Exchange and on TruSTAR.

As small businesses throughout the U.S. are impacted by the commercial effects of the ongoing COVID-19 pandemic, cybercriminals are trusting that people will be on the lookout for information regarding relief payments and more likely to open unsolicited emails purporting to come from relevant entities. The suspicious emails uncovered by X-Force are evidence of actors exploiting the reliance of individual users and small businesses on digital updates to obtain guidance on how to receive federal aid.

As the pandemic situation continues to unfold, it is highly likely that we will see additional malicious cyber actors conducting related campaigns, given the public’s interest in government relief and the large amount of federal funding allocated for relief during the COVID-19 crisis.

Indicators of Compromise (IoCs)

File name MD5 Hash Description
SBA_Disaster_Application_Confirmation_Documt.img  1a1ed019d2b44305d3d0628bce6fc8dd  Archive file
SBA_Disaster_Application_Confirmationfdp.exe  5d7092a0e791a8208b7d2d72e0d0c12f  GuLoader
SBA_DISA.EXE.zip  ff0d4536020c94ee4adadae8ce55c7c6  Archive file
SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe  43927d58e211d5a2d2670bf46b1d9884  GuLoader
SBA_Disaster_Application_Confirmation_Documents_COV_Relief_doc.img  3819af4af055307bdd4a169e48bae137  Archive file
SBA_Disaster_Application_Confirmation_Documents_COV_Relief_doc.exe  48639e1420ed32793e6e804a3ab997f9  GuLoader
SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img  b5ff054f25a5a2ab5ae7c51538cc5276  Archive file
SBA_Disaster_Application_Confirmation_Documents_COV_Relief_docs.img  b25c93f178dd40be32e692cd7c9d966b  Archive file
/Volumes/SBA_GOV_CD/SBA_Disaster_Application_Confirmation_Documents_COV_Relief_docs.exe  5abb9741684d85b3919fe43ade2b299a  GuLoader
SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.img  4c30e403fbb342a505aa157643d96fca  Archive file
SBA_Payroll_Protection_Application_Documents_Prom_Note_Benef.exe  5452d8a0d215ef0e43bd4e3cafc5d1d7  GuLoader
/Volumes/SBA_GOV_CD/SBA_Payroll_Protection_Application_Documents_Prom_Note_Benefi.exe  bedf99dbbdfe9ffd8be00e26b181308e  GuLoader
SBA_Payroll_Protection_Application_Documents_Prom_Note_Benefi.exe.img  0f73c307276f688efb6b3052b68423a9  Archive file
winmail.dat 76eabb4d8efe852d05f510cfd02f6b12
ddf991887033a2a5039d36e26f1830a6
Encrypted  Remcos
140b3165b07ed84360228163ca7c13f2
Decrypted Remcos
c7ca49decaf507c4042689c644ad19f0
Encrypted Remcos
4fc9db992ff1a4d7a15b04cc537713d1
Remcos RAT
140b3165b07ed84360228163ca7c13f2
Remcos RAT
  • hxxps://drive.google[.]com/uc?export=download&id=1x7h0eVnurp-FeOIEl3w3euC7Ns87ssSb
  • hxxps://drive.google[.]com/uc?export=download&id=17Ukn6_AqHto9_Z7OEVYUQKbL2HBeMMvX
  • https[:]//cqjcc[.]org/builf2_encrypted_96DB6DF.bin

IP Addresses

  • 23.105.131.161
  • 216.38.7.245
Melissa Frydrych
Threat Hunt Researcher, IBM

Melissa is an analyst on the Threat Hunt & Discovery Team within IBM X-Force IRIS. She has over 8 years of experience, investigating and analyzing cyber ...
read more

Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00