Categories: Malware

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

A remote access Trojan (RAT) is a malware program that incorporates a back door for administrative control over the objective PC.

RATs are normally downloaded invisibly with a client trusted program like games, Email attachments.

Remcos RAT was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, and recently Fortinet Security team identified this payload is distributed widely and the latest version is (v1.7.3).

Remcos right now being sold from $58 to $389, as per time frame and the maximum number of administrators or customers required.

Malware Execution with elevated privileges

Remcos RAT is being appropriated through malicious Microsoft Office documents passing by the filenames of Quotation.xls or Quotation.doc, which are most presumably connected to SPAM mails.

These malicious document macro are designed to bypass Microsoft Windows’ UAC security and execute malware with high privilege.

To execute the downloaded malware with higher system permissions, it uses a well-known UAC-bypassmethod.

It endeavors to execute it under Microsoft’s Event Viewer (eventvwr.exe) by capturing a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it questions to discover the way of the Microsoft Management Console (mmc.exe).

The Event Viewer essentially executes whatever is in that way. Since the large scale’s shell command replaces the value from that registry section to the malware’s area, the malware is executed rather than the legitimate mmc.exe.

Payload Binary’s

Remcos just incorporates UPX and MPRESS1 packers to pack and compress its server segment. In this sample, be that as it may, the attacker went further by including another layer of custom packer on top of MPRESS1.

Remcos v.1.7.3 and its abilities

Remcos Client has five main tabs with various particular capacities. Although most of the parameters are disabled in the free form, we were able to simulate its client-server connection.

The Connections Tab is where all the active connections can be monitored.
Automatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other RATs.
The Local Settings tab consists of settings for the client side.
The Builder tab is where the parameters of the created server binary can be customized.

Builder tab sub sections

Connection – sets the client IP addresses and ports where the server connects to upon installation.
Installation – configures the installation path, autorun registries, and a watchdog module that prevents termination of the process and deletion of its files and registries.
Stealth – this section dictates whether the server should appear on the system’s tray icon.
Keylogger – this includes the usual limits for a basic keylogger function.
Surveillance – gives the server an option to take periodic screenshots of the system or when specific windows are active.
Build – gives the option to pack the server binary using UPX and MPRESS.

The Event Log displays connection logs with the server, along with some information about the client’s status (updates, ports, etc.)
The About tab has acknowledgements and some promotions on other product.

Samples (SHA256)

fc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a – W32/Remcos.A!tr

8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81 – W32/Remcos.A!tr

8e6daf75060115895cbbfb228936a95d8fb70844db0f57fe4709007a11f4a6bb – WM/Agent.9BF1!tr.dldr

a58a64fce0467acbcaf7568988afc6d2362e81f67fc0befd031d3a6f3a8a4e30 – WM/Agent.9BF1!tr.dldr

IOC

Download URL: legacyrealestateadvisors[.]net/brats/remmy.exe

Command&Control:

remcos2.legacyrealestateadvisors[.]net
remcos.legacyrealestateadvisors[.]net

Also Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.