{"id":16787,"date":"2019-11-05T18:40:43","date_gmt":"2019-11-06T02:40:43","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10526\/"},"modified":"2019-11-05T18:40:43","modified_gmt":"2019-11-06T02:40:43","slug":"news-10526","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/05\/news-10526\/","title":{"rendered":"New Variant of Remcos RAT Observed In the Wild"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>FortiGuard Labs Breaking Threat Analysis<\/i><\/p>\n<p><b>\u00a0<\/b><\/p>\n<p>Recently, our LoneWolf Spampot Monitoring System<b> <\/b>captured several new spam samples. After a quick analysis, we identified it is a Remcos RAT campaign. The analysis in this blog focuses on the latest phishing email received by our system. However, we will include all IoCs related to this campaign at the end of this post. <\/p>\n<p>Remcos RAT is a lightweight, fast and highly customizable Remote Administration Tool with a wide array of functionalities. In past years, it had been observed to act as an information collector, keylogger on a victim\u2019s device. Back to May 2018, we analyzed a variant of it, <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-remcos-rat-variant-is-spreading-by-exploiting-cve-2017-11882.html\">click here<\/a> for more details.<\/p>\n<p>From an online search, we can see that Remcos is being sold on a website. \u00a0Figure 1 is a screenshot of that page.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image.img.png\/1571619549442\/remcos-01.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. REMCOS online order page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In this analysis, we would like to take you to an infected victim\u2019s device, where Remcos was downloaded, installed and executed, to see what this variant does.<\/p>\n<p><b>\u00a0<\/b><\/p>\n<p><b>Phishing Spam Sample Overview<\/b><\/p>\n<p>The originating message spoofs the email address to appear coming from a valid domain. The attacker also performs a Social-Engineering attempt in the shape of a payment advisory email to persuade users to open the attached ZIP file with the included password.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_302124798.img.png\/1571619621196\/remcos-02.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Spam sample<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The attached file is, in reality, a Windows Shortcut (.LNK). The malware author provided the \u201c.TXT\u201d extension as an attempt to obscure the real file extension once the file is extracted and viewed in the user\u2019s folder.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_1692974932.img.png\/1571619691865\/remcos-03.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. ZIP file asking for a password<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When the user provides the given password and executes the attached file, it fetches a PowerShell script from an Internet address and executes it.<\/p>\n<p><b>1<sup>st<\/sup> Stage Launcher &amp; Downloader (payment-advice.txt.lnk)<\/b><\/p>\n<p>Once the \u201cpayment-advice.txt.lnk\u201d is executed by the victim user, it invokes the PowerShell interpreter (powershell.exe) with parameters that temporarily bypass the current PowerShell execution policy and then hides its window to ensure proper execution and hide its presence. The following picture shows the command argument passed to the PowerShell interpreter.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_950758057.img.png\/1571619771948\/remcos-image.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>2nd Stage \u2013 Dropper (achremittance.ps1)<\/b><\/p>\n<p>The downloaded PowerShell script \u201cachremittance.ps1\u201d is composed of six functions. The following table contains each function name along with its purpose.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_979610096.img.png\/1571619872028\/chart.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once the PowerShell script gets to execute, it performs the following actions (in sequential order):\u00a0<\/p>\n<p>1.\u00a0 \u00a0 \u00a0Stores the string \u201c.exe\u201d in a variable encoded in base64, which is eventually decoded and stored in a variable\u00a0<\/p>\n<p>2.\u00a0 \u00a0 \u00a0Generates the absolute path to the newly generated executable (C:UsersPublic&lt;random_name&gt;.exe) by concatenating the previously received parameter (\u201c.exe\u201d file extension), the system\u2019s public (%PUBLIC%) folder and a random string generated for the file name.\u00a0<\/p>\n<p>3.\u00a0 \u00a0 \u00a0Decodes a base64 encoded executable file stored in a variable and then writes all bytes into the executable file\u00a0<\/p>\n<p>4.\u00a0 \u00a0 \u00a0Performs a file extension check (either .exe OR .dll). This script targets the \u201c.exe\u201d file extension.\u00a0<\/p>\n<p>5.\u00a0 \u00a0 \u00a0Starts the dropped file by calling the \u201cStart-Process\u201d PowerShell cmdlet<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_882746192.img.png\/1571619985712\/remcos-04.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Base64 encoded Executable file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Executing the Dropped Remcos<\/b><\/p>\n<p>Once the dropped EXE file executes, it first sleeps for a while (20 seconds) to confront sandboxing. \u00a0Next, it relocates the EXE file to the %LocalAppdata% folder and renames it as \u201csysclient.exe\u201d at the first run. It finally starts \u201csysclient.exe\u201d after exiting the process.<\/p>\n<p>The \u201csysclient.exe\u201d starts a child process of itself with suspended state and then overwrites its code with extracted malicious code from the parent process. Finally, the malicious code executes in the child process, which is called process hollowing.<\/p>\n<p>The figure below shows the process tree when first running the dropped Remcos, where the dropped EXE file is \u201cetyq.exe\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_1989524869.img.png\/1571620055570\/remcos-05.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Process tree when first running the dropped Remcos<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The \u201csysclient.exe\u201d file was written in .NET Framework language, and the code was fully obfuscated, which creates a big challenge for analysts. It adds itself into the Auto-Start group of the system registry. In this way, Remcos can start automatically when the victim\u2019s device restarts.<\/p>\n<p>Figure 6 is a screenshot of when Remcos calls the function to write into the system registry.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_701126043.img.png\/1571707655180\/remcos-06.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Addition into Auto-Start group of system registry<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Analysis of the Child Process<\/b><\/p>\n<p>According to our analysis, the version of this variant is \u201c2.5.0 Pro\u201d, which is hardcoded in the malicious code, which just came out on September 20, 2019.<\/p>\n<p>Like other previous versions, Remcos contains an encrypted resource named \u201cSETTINGS\u201d.\u00a0 After decrypting it, the data looks like Figure 7.\u00a0 It is an array where each item is split by hexadecimal \u201c1E\u201d that is highlighted with a red underscore. \u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_1757948904.img.png\/1571620169624\/remcos-07.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Decrypted resource \u201cSETTINGS\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This is the entire configuration data for Remcos. It contains many value fields, for example: C&amp;C server host, license number, encryption seed for encrypting data, many RAT features\u2019 default switch (\u201c0\u201d disable, \u201c1\u201d enable), and its home key name in system registry and so on.<\/p>\n<p>Each value of the array could be fetched by calling a function with an index whenever it\u2019s needed.<\/p>\n<p>Remcos starts a keylogger by starting three threads. The log data is saved in a local file at \u201c%Appdata%remcoslogs.dat\u201d. In previous version, the logs.dat file was encrypted. However, in this version, the logs.dat is not encrypted. The records are similar as the previous version, which is shown in Figure 8. When we opened Chrome, then entered a website and tested credential, you can see it recorded everything in Figure 8.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_846631033.img.png\/1571620212095\/remcos-08.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Example Keylogger logs.dat file content<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Communicating with the C&amp;C Server<\/b><\/p>\n<p>The communication between Remcos and its C&amp;C server is encrypted. Remcos uses RC4 to encrypt and decrypt traffic, as mentioned above that there is an encryption seed in the \u201cSETTINGS\u201d that is \u201cAlibaba123\u201d for this version, with which it can generate RC4 Key for traffic encryption and decryption.<\/p>\n<p>It obtains the C&amp;C server host from the decrypted \u201cSETTINGS\u201d array, whose index is 0. In Figure 7, you can see the host is \u201cSub[.]winkcaffe[.]waw[.]pl:10005\u201d. \u00a0Remcos puts all collected information from the victim\u2019s device together in a buffer, which then gets encrypted and sent to the C&amp;C server.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_76199171.img.png\/1571620256366\/remcos-09.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. All collected data from victim\u2019s device<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 9 is a screenshot taken when the buffer is about to be passed to the encryption function.<\/p>\n<p>The entire data in the buffer is an array; each item is split by string \u201c|cmd|\u201d. This is the first packet sent to the C&amp;C server, the buffer starts at memory address 0x1845959 and the buffer size is 0x253. The four-bytes at offset 0x0F is \u201c4B 00 00 00\u201d (0x4B for short), which is a control command number.\u00a0 In this packet, Remcos collected important information from the victim\u2019s device, such as victim\u2019s user name, location, Windows version, physical memory capacity, Remcos home name and version, keylogger log file full path, victim\u2019s device running time, Remcos\u2019s path, CPU information and so on.<\/p>\n<p>The C&amp;C server replied to this packet with the command control number \u201c01 00 00 00\u201d or 0x01 for short, which asks the client to collect the victim&#8217;s topmost program title information and send back to the server.<\/p>\n<p>The decrypted response packet is shown below:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image_1237748221.img.png\/1571620503826\/remcos-code-02.png\" alt=\"Fortinet FortiGuard Labs Threat Research\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The data structure is same as the one shown in Figure 9.<\/p>\n<p><b>Control Commands that Remcos Supports<\/b><\/p>\n<p>Besides the control command number 0x01 we detailed in the last section, Remcos supports many control commands to ask Remcos to perform various tasks on victim\u2019s device. Because the attacker does not enable all the commands at server side, we find most of these command sub procedures in a control-command-handler function, which is a very large function. We manually and statically analyzed this function.\u00a0<\/p>\n<p>In this section, we show most of the control command numbers in a table as well as the features provided by them.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3\">      <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Remcos supports starting a daemon program to protect itself from being killed. In previous version, it started a \u201csvchost.exe\u201d to do so. However, the attacker of this campaign did not enable the daemon program whose flag is set as \u201c0\u201d the in \u201cSETTINGS\u201d configuration.<\/p>\n<p><b>Solution<\/b><\/p>\n<p>The original downloading URL in the link file is rated as \u201c<b>Malicious Websites<\/b>\u201c by the FortiGuard Web Filtering service.<\/p>\n<p>The Shortcut (.lnk) file, downloaded PowerShell file and extracted exe file are all detected and blocked by the FortiGuard Antivirus service.<\/p>\n<p><b>IOCs:<\/b><\/p>\n<p><b>URLs<\/b><\/p>\n<p>[C&amp;C server]<\/p>\n<p>Sub[.]winkcaffe[.]waw[.]pl:10005<\/p>\n<p>Top[.]subaroone[.]waw[.]pl:5050<\/p>\n<p>[URL of the PowerShell file]<\/p>\n<p>hxxp[:]\/\/globalpaymentportal[.]co\/Admin\/Logs\/achremittance.ps1<\/p>\n<p>hxxp[:]\/\/transactionportal[.]co\/Admin\/Logs\/transmission.ps1<\/p>\n<p><b>Sample SHA-256<\/b><\/p>\n<p>[Shortcut .lnk file]<\/p>\n<p>914F19697F03015BB10AB5FBF96A8BC49F2F8D3C036235233B7CBB0F0E7A902C<\/p>\n<p>0F47E91D77397032192F04FA35980793E400B3589BFAC2919ACC411340B903DE<\/p>\n<p>DA2304FA78FAC37F2F093699BE418553A294FA9F394C1730482B3DDE66DE4CD5<\/p>\n<p>3D03E32E7459ECFC94CA170CC07C54A87C75BACBCD92E5FA15657C46D474B59D<\/p>\n<p>5626AC76C089BA66CC6B6294289A2BD04584F94F35D45198AA65F90E5F6E3EBB<\/p>\n<p>[Downloaded PowerShell file]<\/p>\n<p>55F4B78339A5172A24CA68FFB1D27EE1A791A6AA3821D6D5481B4B02BAED9B48<\/p>\n<p>DF5DA147BCE2A9EDC6226E2EC6F4151AE1CF18C08EDF2C1568FBDD3099CE074A<\/p>\n<p>[Extracted\/Dropped EXE file]<\/p>\n<p>55F4B78339A5172A24CA68FFB1D27EE1A791A6AA3821D6D5481B4B02BAED9B48<\/p>\n<p>29FD2DD80F63AA43B34CD7EA2F7AEB9EA5259775233F29CB2205E0279495602D<\/p>\n<p>\u00a0<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/aHoie9nJabQ\/new-variant-of-remcos-rat-observed-in-the-wild.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/new-variant-of-remcos-rat-observed-in-the-wild\/_jcr_content\/root\/responsivegrid\/image.img.png\/1571619549442\/remcos-01.png\"\/><br \/>Recently, we identified several new spam samples as a Remcos RAT campaign. Read more about our analysis of this threat.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/aHoie9nJabQ&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16787","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16787","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16787"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16787\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16787"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}