The Remote Access Trojan Remcos has features to evade detection.
Remcos RAT is a malware that affects systems with Windows OS and gives the attacker full control over the affected system. Remcos is delivered in stages and incorporates various obfuscation and anti-debugging techniques in order to evade detection. Regular updation of its features by its creators makes this malware a challenging adversary. Some of its additional services include a key-logger, a mass-mailer and a DynDNS service.
Non-Technical Summary
Remco can be termed a dynamic and versatile threat. Imagine an efficiently run operation – competent, systematic and professional. Remco is openly available, though the creators’ identity is untraceable. In addition, it also comes with regular updates.
It arrives mostly as a phishing email that infects the system. It follows the steps of a typical trojan – an innocent looking file runs a malicious script that then downloads and installs the malware. It then destroys these steps and uses its anti-debugging features to stay undetected by the normal anti-virus softwares.
The infected system can then be controlled remotely by the attacker. What the attacker chooses to do is anybody’s guess.
About the Threat
Remcos was first observed in 2016 and has evolved ever since. Available easily on the dark web, it is updated roughly every month with fresh features.
Initially downloaded through a phishing e-mail, it arrives in an MS Office file that prompts users to activate macros when opened. Remcos completes the infiltration using obfuscation and anti-debugging techniques that are the common method of distribution for known malware.
A sample XLS used for analysis was downloaded via a phishing e-mail. On opening this file, a malicious script was executed. This obfuscated script then downloaded the next attack payload. This payload was also obfuscated and performs the following key activities.
Download another payload
Move this payload to a different location and rename it
Modify REGEDIT to execute the payload during Windows start up
Once the system is compromised, Remcos provides the attacker complete remote control over the system including recording keystrokes and capturing screenshots. It has the capability to exfiltrate information from the compromised system to the attacker’s servers.
SecneurX's Analysis of the Modus Operandi
Security Analysts at SecneurX studied the below artifact
SHA256=c9c77d471528a6461fbedf53fd81e3971253c29be2aefb4925ef44e192c318b3
This is an XLS file which contained malicious VBA macros. The following string was obfuscated and stored within.
The infiltration and compromise followed several steps each of which are explained below. Our dynamic analysis observed the following network communications.
hxxp://dreamwatchevent [.]com/wp-admins/Protected%20Client[.] j s
hxxp://dreamwatchevent [.]com/wp-admins/Attack[.]jpg
Step 1
The malicious VBA macro in the XLS file downloads the payload from "hxxp://dreamwatchevent [.]com/wp-admins/Protected Client[.] j s" and executes it.
This response contains the stage 1 payload which is a script with an obfuscated URL.
Step 2
This stage 1 payload contains two parts. Each part is obfuscated by a different mechanism. These two parts have to be de-obfuscated separately and then merged to complete the next stage URL. The de-obfuscated payload is shown below:
This payload contains the URL ( hxxp://dreamwatchevent[.]com/wp-admins/Attack.jpg )for stage two of the attack.
Step 3
The stage 1 payload also contains the following functions.
Once the URL mentioned in the previous step is obtained, the payload then uses HTML objects to call into the shell with the following reference
Function 1
This string decodes to new: 13709 620-C279-11CE-A49E-444553540000 which is a HTML object element used to call the shell
Function 2
This function sets up the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key such that each time a user logs into Windows OS, the downloaded payload is executed.
Function 3:
In this function, the string "powershell" is constructed using the variables and reversing the string. String. fromCharCode(112) returns the value ‘p’ + "o" +"we" + "rsh" + "ell"
Step 4
The URL hxxp://dreamwatchevent [.]com/wp-admins/Attack[.]jpg is next communicated. At the time of publishing this article, VirusTotal did not detect this payload as malicious.
The payload dropped by this URL contains an encoded EXE which has been identified as Remcos RAT malware. This file was named as notapad.exe and is packed in ConfuserEx.
Figure 1: Remcos Rat
Malware Functionality
Security Analysts at SecneurX list some of the main functionalities of the trojan:
Executes each time Windows OS is launched
Total remote command and control of the infected system
Exfiltration of information from infected system
Obfuscation of several functions of the malware itself
Constantly evolving features and regular updates
Anti-debugging capability that evades detection
Ability to record keystrokes of the infected system
Ability to capture screenshots of the infected system
Mass-mailer capability to carry out distribution campaigns
DynDNS service with client-server connection
Capability of the attacker to use the infected system as a botnet
Figure 2: Malware process behaviour