The Remote Access Trojan Remcos has features to evade detection.
Remcos RAT is a malware that affects systems with Windows OS and gives the attacker full control over the affected system. Remcos is delivered in stages and incorporates various obfuscation and anti-debugging techniques in order to evade detection. Regular updation of its features by its creators makes this malware a challenging adversary. Some of its additional services include a key-logger, a mass-mailer and a DynDNS service.
Non-Technical Summary
Remco can be termed a dynamic and versatile threat. Imagine an efficiently run operation – competent, systematic and professional. Remco is openly available, though the creators’ identity is untraceable. In addition, it also comes with regular updates.
It arrives mostly as a phishing email that infects the system. It follows the steps of a typical trojan – an innocent looking file runs a malicious script that then downloads and installs the malware. It then destroys these steps and uses its anti-debugging features to stay undetected by the normal anti-virus softwares.
The infected system can then be controlled remotely by the attacker. What the attacker chooses to do is anybody’s guess.
About the Threat
Remcos was first observed in 2016 and has evolved ever since. Available easily on the dark web, it is updated roughly every month with fresh features.
Initially downloaded through a phishing e-mail, it arrives in an MS Office file that prompts users to activate macros when opened. Remcos completes the infiltration using obfuscation and anti-debugging techniques that are the common method of distribution for known malware.
A sample XLS used for analysis was downloaded via a phishing e-mail. On opening this file, a malicious script was executed. This obfuscated script then downloaded the next attack payload. This payload was also obfuscated and performs the following key activities.
Download another payload
Move this payload to a different location and rename it
Modify REGEDIT to execute the payload during Windows start up
Once the system is compromised, Remcos provides the attacker complete remote control over the system including recording keystrokes and capturing screenshots. It has the capability to exfiltrate information from the compromised system to the attacker’s servers.
SecneurX's Analysis of the Modus Operandi
Security Analysts at SecneurX studied the below artifact
SHA256=c9c77d471528a6461fbedf53fd81e3971253c29be2aefb4925ef44e192c318b3
This is an XLS file which contained malicious VBA macros. The following string was obfuscated and stored within.
The infiltration and compromise followed several steps each of which are explained below. Our dynamic analysis observed the following network communications.
hxxp://dreamwatchevent [.]com/wp-admins/Protected%20Client[.] j s
hxxp://dreamwatchevent [.]com/wp-admins/Attack[.]jpg
Step 1
The malicious VBA macro in the XLS file downloads the payload from “hxxp://dreamwatchevent [.]com/wp-admins/Protected Client[.] j s” and executes it.
This response contains the stage 1 payload which is a script with an obfuscated URL.
Step 2
This stage 1 payload contains two parts. Each part is obfuscated by a different mechanism. These two parts have to be de-obfuscated separately and then merged to complete the next stage URL. The de-obfuscated payload is shown below:
This payload contains the URL ( hxxp://dreamwatchevent[.]com/wp-admins/Attack.jpg )for stage two of the attack.
Step 3
The stage 1 payload also contains the following functions.
Once the URL mentioned in the previous step is obtained, the payload then uses HTML objects to call into the shell with the following reference
Function 1
This string decodes to new: 13709 620-C279-11CE-A49E-444553540000 which is a HTML object element used to call the shell
Function 2
This function sets up the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key such that each time a user logs into Windows OS, the downloaded payload is executed.
Function 3:
In this function, the string “powershell” is constructed using the variables and reversing the string. String. fromCharCode(112) returns the value ‘p’ + "o" +"we" + "rsh" + "ell"
Step 4
The URL hxxp://dreamwatchevent [.]com/wp-admins/Attack[.]jpg is next communicated. At the time of publishing this article, VirusTotal did not detect this payload as malicious.
The payload dropped by this URL contains an encoded EXE which has been identified as Remcos RAT malware. This file was named as notapad.exe and is packed in ConfuserEx.
Figure 1: Remcos Rat
Malware Functionality
Security Analysts at SecneurX list some of the main functionalities of the trojan:
Executes each time Windows OS is launched
Total remote command and control of the infected system
Exfiltration of information from infected system
Obfuscation of several functions of the malware itself
Constantly evolving features and regular updates
Anti-debugging capability that evades detection
Ability to record keystrokes of the infected system
Ability to capture screenshots of the infected system
Mass-mailer capability to carry out distribution campaigns
DynDNS service with client-server connection
Capability of the attacker to use the infected system as a botnet
Figure 2: Malware process behaviour
Hashes
c9c77d471528a6461fbedf53fd81e3971253c29be2aefb4925ef44e192c318b3
d5b9d7ac9e73f8b71d646e1a39946090eb05d134972fc26f8505fa0fbd17f778
58051e38a39558b2225e10ef48627c03be2ac843e59652edd4840d2edbe32095
305a43e0140e3aa8bc5f5c6ea67ca9213aabbbb1fd12c9165d72d0647b2d42d3
1dc6a0e820be4607e68511265de54cefb0e1835ab911df52aa0a874701259dea
02dc792967a8f31f0563f59ee1d7ca279752419ef664f31e8b0804916014f63a
0e7d5f148b0a7dc1c58afcc60a29038bc8d85395ffd89ce5256b7574a03c21ba
1d2ee6d80babc57368a251a92e93779442578a1f4295c0e4d4a83553e15c72db
39bea3c640eef75ccd23e4f5f669c04cf5570d6fac94685affe4c2ef0580db17
3a37360930f0d13d19523597d36813f500afc518ab89c9076c6cc2386bedd44a
44281150205cf371664775e1279041506c6bdef8fcabcd0cd219c2939512c48b
669e52bc59829725c4c8eca34283a6bc93d179edbf72d2d9251192427d57719c
6e2eeee891aac7ca4db3ee3cbc70b345689207cc0ecca2e3d9603e4eb3d3fe56
6e5602c84c1898313dade2f539e202e410eca1c5f59d0a049388ed4d20653d63
6eb426d53d31bfa86c3011d46dd02df68908efe9583251d1f94b93e47042a99b
6f9a5576e3f8a1244d1221de62f6331b8853b6c24c08662b7b1504c05a462248
85428dfe088755303ada5b2bc68fec9e30690007f6fcf97a0a405f6401506160
9280208dedb5cd8796fd1c42b86140e5fa43e7805ecce70227e3beb096307731
94601bf983ebb960b5eb5c1dcfae49c198acb2acd9113d196c04f5f817c9cd7b
a242a806fcc255bf04b4304c48f95b775bcf7846a5ee129783767f5eb8189b55
b1cdfebf8f9faac84fdcbe3947aa8fd5c94ebcabda28ec2848c95e81102dc10e
c3cc088cf238fb3809c618d6f0be51c608eabb70deaf026e7f7480fff49afc77
c9c77d471528a6461fbedf53fd81e3971253c29be2aefb4925ef44e192c318b3
cd6bdb9822f4eaeb1efab9abe6aae3fd6d5d8bb8d33e0623497da6be51b201d4
d202d889a60f7212c85bea62fc2461d93be6325708f490f1d3a5dff2ed4c0444
e8dd53259f76b18d14470a073f5326fab95d03e6ebc968dcec2d036114f6efc9
f191eff2f451ea68185408d49a73ce728cfde7134b50633326c5f94ae05e7303
f46f425fae2707841c01f354e154f09cf1f4e7ddfc04e3dcbf91308dd50fa1d8
f8d06c20dc2af83af29551f384bbde4e5380911d8db0f9e56ca549bb5995d413
fa4ac33a35542f887f49fc7649cc7bf200215682add4184c352a60537ea44bb8
Indicators of Compromise
dreamwatchevent [.]com
144[.]208[.]125[.]220
194[.]5[.]98[.]207
ajutorulcasei[.]ro
aventuramotorhome[.]com
broadtechnomat[.]in
fundhubusa[.]com
greenpayindia[.]com
herrdangwerder[.]de
kadsec[.]com
khmerosja[.]net
office-cleaner-commander[.]com
office-updates-index[.]com
treasuringchristonline[.]com
worldwidetechsecurity[.]com
www[.]aventuramotorhome[.]com
www[.]softdib[.]com[.]br
ja3_client=a85be79f7b569f1df5e6087b69deb493
ja3_server=eb1d94daa7e0344597e756a1fb6e7054
Comments