Remcos RAT

BLUF

First seen in 2016 delivered in malicious emails, Remcos is a remote access trojan (RAT). Remcos has wide ranging function such as monitoring and recording the audio and video of an infected machine, dropping a keylogger. stealing account credentials, stealing data files, and downloading extra malware payloads. The sample Demystify Cyber analysed was in a zip/archive file attachment in an email with subject ‘Appraisal report for your loan application’.We have seen a similar Remcos RAT campaign earlier this year in emails with the subject ‘Remittance Advice’.

Recommendations

Be cautious opening unsolicited emails and do not click on included links or open included attachments

Do not extract/unzip archive files attached to emails of which you cannot verify the veracity

Do not enable macros in email attachments

Consider gateway filtering on known subject lines used in the campaigns where appropriate

Consider blocking the known C2 URL

Use a reputable and up to date anti-virus solution

Mitre Att&ck framework

1. Initial execution

T1106: Native API - dynamically determines any API calls, code function: 10_2_0066D072LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

T1059: Command and Scripting Interpreter – launches cmd[.]exe

T1569.002: Service Execution – can start, stop and modify Windows services

2. Persistence and privileged access

T1546.011: Application Shimming – hides its API calls using GetProcAddress

T1543.003: Windows Service – modifies Windows services

T1547.001: Registry Run Keys / Startup Folder – an Autostart registry key is created

T1134: Access Token Manipulation – the malware adjusts the back up and the debug token privileges

T1055: Process Injection – injects a PE file, injects malicous code into remote processes, enumerates and checks for explorer

3. Evasion

T1027.002: Software Packing – has antivirus detection, with a learning functionality to detect AV while unpacking software

T1055: Process Injection – uses a sleep mode and suspends Code function: 10_2_0066D455 Sleep,ExitProcess,

T1036: Masquerading – accesses Directory and creates its own files (File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Afntawvjoyozdpefruxaakrvbtnnwh)

T1140: Deobfuscate/Decode Files or Information – includes decryption strings

4. Steals Credentials

T1003: OS Credential Dumping and – contains code to steal stored credentials in Chroime, IE and Fireofx

T1552.001: Credentials In Files – steals stored credential cookies

T1056: Input Capture – contains a keylogger

5. System Discovery

T1083: File and Directory Discovery – enumerates and lists files and query drives for data

T1087: Account Discovery – queries the machine account holder/user log in name

T1518.001: Security Software Discovery – detects anti virus software, detects any debug running and attempts to detect a virtual environment

T1018: Remote System Discovery – reads the hosts files 9 C:\Windows\System32\drivers\etc\hosts

6. Collection and communication

T1560: Archive Collected Data – contains an encryption function, and public key creation (Binary or memory string: -----BEGIN PUBLIC KEY-----)

T1115: Clipboard Data – reads and capture data in the clipboard

Written by A. Turner

© A. Turner 2021 https://www.demystifycyber.com.au/

Provided for general information and education purposes