{"id":18689,"date":"2022-04-06T09:40:02","date_gmt":"2022-04-06T17:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/06\/news-12422\/"},"modified":"2022-04-06T09:40:02","modified_gmt":"2022-04-06T17:40:02","slug":"news-12422","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/06\/news-12422\/","title":{"rendered":"The Latest Remcos RAT Driven By Phishing Campaign"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Research<\/h2>\n<p><b>Affected platforms:<\/b> Microsoft Windows<br \/> <b>Impacted parties:<\/b> Microsoft Windows Users<br \/> <b>Impact:<\/b> Controls victim\u2019s device and collects sensitive information<br \/> <b>Severity level:<\/b> Critical<\/p>\n<p>Remcos RAT (Remote Access Trojan) was originally designed as a professional tool to remotely control computers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims\u2019 devices since its first version was published on July 21, 2016. Remcos RAT is commercial software that is sold online.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649207001819\/imggg.png\" alt=\"Figure 1: Example of Remcos RAT being sold online\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Example of Remcos RAT being sold online<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>On this webpage, it provides two versions: professional edition (with all features included) and free edition (with restricted features).<\/p>\n<p>This analysis is based on Remcos RAT being used by hackers to control victims\u2019 devices delivered by a phishing campaign, which was caught by Fortinet\u2019s FortiGuard Labs recently.<\/p>\n<p>In this analysis, you will learn:<\/p>\n<ul>\n<li>How the phishing campaign delivers Remcos RAT onto the victim\u2019s device<\/li>\n<li>How Remcos executes on the device<\/li>\n<li>What sensitive information it could steal from a victim<\/li>\n<li>How Remcos connects to its C2 server<\/li>\n<li>What commands this Remcos provides to control the victim\u2019s device<\/li>\n<\/ul>\n<h2>The Phishing Email<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_406303731.img.png\/1649214460391\/newfig.png\" alt=\"Figure 2: Screenshot of the phishing email content\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Screenshot of the phishing email content<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see from the email content shown in Figure 2, the hacker disguised the phishing email as a payment notification from a trusted bank and asked the recipient to open the attached Excel file that is protected by a password.<\/p>\n<h3>Excel File Leads to Download of Remcos via VBS and PowerShell<\/h3>\n<p>Once the attached Excel document is opened in the Excel program, it asks for a password to view the document, which has already been provided in the email. It then shows the document in the Excel program like Figure 3. Because the file contains Macro code, it shows a yellow security warning bar to warn the victim of the danger.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_2086785119.img.png\/1649207231345\/fig-3.1.png\" alt=\"Figure 3: Screen shown when the Excel document is opened in the Excel program\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Screen shown when the Excel document is opened in the Excel program<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The file message lures the victim into clicking the Enable Content button to bypass the warning and execute the malicious macro code.<\/p>\n<p>The macro has a function called \u201cWookbook_Active()\u201d that is called automatically when it opens. Its task is to extract VBS code from the cells into a file \u201c%AppData%HobYQ.vbs\u201d and then execute it.<\/p>\n<p>To protect the Remcos payload file, it uses a super sophisticated way to download it. In this way, it executes both VBS and PowerShell script codes.<\/p>\n<p>\u201cHobYQ.vbs\u201d runs a segment of dynamically spliced PowerShell code to download another VBS file (\u201cflip.vbs\u201d) from the attacker\u2019s server and run it. Next, \u201cflip.vbs\u201d continues to download a file (called \u201cmem.txt\u201d) from the server, which is a piece of encoded VBS code that will be executed later in \u201cflip.vbs\u201d to download the final file from the same server, which is called \u201cfaze.jpg\u201d. In Figure 4, it shows the captured traffic for the three downloaded files, \u201cflip.vbs,\u201d \u201cmem.txt,\u201d and \u201cfaze.jpg.\u201d<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_517696289.img.png\/1649207262339\/fig3.2.png\" alt=\"Figure 4: \u201cHobYQ.vbs\u201d leads to downloading three files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: \u201cHobYQ.vbs\u201d leads to downloading three files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The bottom of Figure 4 shows part of the response packet of \u201cfaze.jpg\u201d. Of course, it is not image file, but an obfuscated PowerShell code file. There are three pieces of encoded data defined in three array variables, which have been simplified in Figure 5 in three red boxes. The PowerShell code that is carried in \u201cfaze.jpg\u201d is executed by \u201cflip.vbs\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_1979540426.img.png\/1649207279148\/fig-3.3.png\" alt=\" Figure 5: The simplified PowerShell code of \u201cfaze.jpg\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 5: The simplified PowerShell code of \u201cfaze.jpg\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Let me then explain how the PowerShell code works here.<\/p>\n<p>The values for the two variables, $MNB and $IRjR, are both encoded GZIP compression payloads (they start with \u201c1F 8B\u2026\u201d). After decompression, $MNB is .Net Framework Dll file and $IRjR is the Remcos payload file.<\/p>\n<p>The binary value that is set to variable \u201c$qgRf\u201d is a dynamic method called tMCfkSD() for decompression.<\/p>\n<p>It calls tMCfkSD() to decompress the .Net Dll from $MNB into $byUsWxe. At last, it loads the .Net Dll into current PowerShell execution environment by calling \u201cLoad\u201d and the function \u201cBlack()\u201d from class \u201ctoooyou\u201d is called with \u201cRegAsm.exe\u201d and compressed Remcos Payload ($IRjR).<\/p>\n<h3>.Net Framework Dll File Performs Process Hollowing<\/h3>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_1941736865.img.png\/1649207469921\/fig-4.1.png\" alt=\"Figure 6: Break on .Net Dll toooyou.Black()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Break on .Net Dll toooyou.Black()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The .Net Dll is named GC.dll as you can see in Figure 6. The two passed parameters are shown in \u201cLocals\u201d. Its code is obfuscated. According to my analysis, it first dynamically extracts another Dll from its resource section named lime.dll. Next, it decompresses the Remcos payload, which will be passed to a function called &quot;k78er0sdfffff.o70sdaf45gfg(System.String, Byte[])&quot; that is from lime.dll at the time the function is called. Actually, this Dll is used to perform the process hollowing that is injecting the Remcos payload into a newly-created \u201cRegAsm.exe\u201d process. Once the function (k78er0sdfffff.o70sdaf45gfg()) is invoked, it finds \u201cRegAsm.exe\u201d from below locations on the victim\u2019s device. In case that it fails to find the file, it exits from PowerShell without running the Remcos.<\/p>\n<p>The hardcoded location list:<\/p>\n<p style=\"margin-left: 40.0px;\"><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"color: black;\">array[<\/span><span style=\"color: rgb(43,145,175);\">&lt;Module&gt;<\/span><span style=\"color: black;\">.<\/span><span style=\"color: rgb(153,0,153);\">C1790263187<\/span><span style=\"color: black;\">]\u00a0=\u00a0<\/span><span style=\"color: rgb(163,21,21);\">&quot;C:\\WINDOWS\\syswow64\\&quot;<\/span><span style=\"color: black;\">;<br \/>  array[<\/span><span style=\"color: rgb(43,145,175);\">&lt;Module&gt;<\/span><span style=\"color: black;\">.<\/span><span style=\"color: rgb(153,0,153);\">C2710025604<\/span><span style=\"color: black;\">]\u00a0=\u00a0<\/span><span style=\"color: rgb(163,21,21);\">&quot;C:\\WINDOWS\\system32\\&quot;<\/span><span style=\"color: black;\">;<br \/>  array[<\/span><span style=\"color: rgb(43,145,175);\">&lt;Module&gt;<\/span><span style=\"color: black;\">.<\/span><span style=\"color: rgb(153,0,153);\">C3326009313<\/span><span style=\"color: black;\">]\u00a0=\u00a0<\/span><span style=\"color: rgb(163,21,21);\">&quot;C:\\WINDOWS\\&quot;<\/span><span style=\"color: black;\">;<br \/>  array[<\/span><span style=\"color: rgb(43,145,175);\">&lt;Module&gt;<\/span><span style=\"color: black;\">.<\/span><span style=\"color: rgb(153,0,153);\">C931285936<\/span><span style=\"color: black;\">]\u00a0=\u00a0<\/span><span style=\"color: rgb(163,21,21);\">&quot;C:\\WINDOWS\\syswow64\\WindowsPowerShell\\v1.0\\&quot;<\/span><span style=\"color: black;\">;<br \/>  array[<\/span><span style=\"color: rgb(43,145,175);\">&lt;Module&gt;<\/span><span style=\"color: black;\">.<\/span><span style=\"color: rgb(153,0,153);\">const_4<\/span><span style=\"color: black;\">]\u00a0=\u00a0<\/span><span style=\"color: rgb(163,21,21);\">&quot;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\&quot;<\/span><span style=\"color: black;\">;<br \/>  array[<\/span><span style=\"color: rgb(43,145,175);\">&lt;Module&gt;<\/span><span style=\"color: black;\">.<\/span><span style=\"color: rgb(153,0,153);\">C3873335087<\/span><span style=\"color: black;\">]\u00a0=\u00a0<\/span><span style=\"color: rgb(163,21,21);\">&quot;C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\&quot;<\/span><span style=\"color: black;\">;<\/span><\/span><\/span><\/p>\n<p>In my testing environment, it has this file at &quot;C:Windows\\Microsoft.NETFrameworkv4.0.30319RegAsm.exe&quot;.<\/p>\n<p>As you may know, it needs to call several APIs to finish the process hollowing, which are: CreateProcess() with CREATE_SUSPENDED flag, WriteProcessMemory(), GetThreadContext(), SetThreadContext() and so on. As shown in Figure 7, it is about to call API CreateProcessA() to create a suspended RegAsm.exe process from Lime.dll.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_104867624.img.png\/1649219858810\/fig-4%2C2.png\" alt=\"Figure 7 Call CreateProcessA() with CREATE_SUSPENDED flag\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Call CreateProcessA() with CREATE_SUSPENDED flag<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>When the Remcos payload is injected and deployed onto the RegAsm.exe, API ResumeThread() will be called to have RegAsm.exe resume to run the Remcos RAT on the victim\u2019s device.<\/p>\n<h3>Dive into Remcos Payload<\/h3>\n<p>Per my analysis, Remcos was written in C++ language with templates. What we already captured is the latest version, 3.4.0 Pro, which was published on February 10, 2022. I dissected the Remcos payload file from this section to learn how it controls the victim\u2019s device.<\/p>\n<p>From the analysis of its previous versions in the past years, Remcos used RC4 encryption to encrypt or decrypt both the local data and the traffic data between Remcos and C2 servers. From the version 3.0.0 Pro on, it has changed the encryption algorithm to AES-128 bit for encrypting or decrypting the traffic data. Therefore, it is now using both encryption algorithms, RC4 for local data and AES for traffic data in this variant.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_1169218445.img.png\/1649207577604\/fig-5.1.png\" alt=\"Figure 8: Remcos configuration block encrypted in \u201cSETTINGS\u201d resource\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Remcos configuration block encrypted in \u201cSETTINGS\u201d resource<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Every Remcos contains an RC4 encrypted configuration block in its PE resource section, named \u201cSETTINGS\u201d as shown in Figure 8, where the first byte \u201cB1\u201d is the size of the following RC4 key that is in a red box and the rest data is the encrypted Remcos configuration block.<\/p>\n<p>The first thing Remcos does is to decrypt the configuration block, which will be referred to throughout Remcos lifetime. It contains but not limited to the C2\u2019s server information, Remcos assigned name for attacker to recognize the victim, Remcos sub-key name in registry, the name of log file for recording victim\u2019s keylogger and clipboard data, many flags telling Remcos how to start its features in the victim\u2019s device, as well as the authentication data used to establish connection to the C2 server.<\/p>\n<p>The workflow of Remcos is very clear that it starts many threads to perform auto-start work according to the flags defined in the configuration block. It includes:<\/p>\n<ul>\n<li>Adding Remcos to the auto-run group in the system registry<\/li>\n<li>Starting a watchdog program (Remcos\u2019 daemon program)<\/li>\n<li>Recording the victim\u2019s audio input from an input device ( microphone)<\/li>\n<li>Capturing victim\u2019s screenshots at startup<\/li>\n<li>Disabling UAC (User Account Control) on the victim\u2019s device<\/li>\n<li>And so on<\/li>\n<\/ul>\n<p>Remcos is able to record the victim\u2019s sensitive information in a log file (file name is from the configuration block) from time to time, like keyboard inputs (keylogger), data on the system clipboard, and the title of the topmost program that the victim\u2019s typing in. In order to do so, it needs to set a keyboard hook by calling API SetWindowsHookExA() and starts a thread to check every 500 microseconds. Figure 9 shows the ASM code snippet\u00a0of setting such hook.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_1830594180.img.png\/1649207660031\/fig-5.2.png\" alt=\"Figure 9 Set keyboard Windows Hook\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Set keyboard Windows Hook<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Below is an example of \u201clogs.dat\u201d with what Remcos has obtained from my test environment, such as recording date and time, topmost program titles, victim\u2019s idle time, and clipboard data.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_1960009622.img.png\/1649219873612\/fig5.3.png\" alt=\"Figure: 10 Example of information saved in \u201clog.dat\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure: 10: Example of information saved in \u201clog.dat\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The next step in the Remcos workflow is to connect to its C2 server per the information from the configuration block.<\/p>\n<h3>Communicating with the C2 Server<\/h3>\n<p>Remcos uses TLS v1.3 protocol to communicate with the C2 server, which is implemented by itself (not using Windows APIs) on the TLS handshake and authentication as I mentioned before.<\/p>\n<p>Remcos then collects the basic information from the victim\u2019s system and submits it in the first packet to the C2 server. The packet number for the first packet is 4BH. The packet to go through AES encryption is shown below.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_1962818533.img.png\/1649207745953\/fig-6.1.png\" alt=\"Figure 11 4BH packet plaintext content before AES encryption\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: 4BH packet plaintext content before AES encryption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The victim\u2019s basic information is enclosed in this packet. Let\u2019s take a look at the packet structure.<\/p>\n<p>The first \u201c24 04 FF 00\u201d is the packet magic ID that comes from the decrypted configuration block, the subsequent dword \u201cA1 02 00 00\u201d (21AH) is the size of following data, the next dword \u201c4B 00 00 00\u201d (4BH) is the packet number. The entire rest data are the collected basic information of the victim\u2019s device, which includes but not limited to:<\/p>\n<ul>\n<li>Remcos assigned name \u201cShiesty\u201d (from configuration block)<\/li>\n<li>Victim\u2019s user name and computer name<\/li>\n<li>Windows edition information, total RAM (3757629400) in bytes<\/li>\n<li>Remcos version (3.4.0 Pro)<\/li>\n<li>The full path of current RegAsm.exe, the title of the currently active program (the victim\u2019s using)<\/li>\n<li>Victim\u2019s idle time<\/li>\n<li>The system\u2019s uptime<\/li>\n<li>CPU information<\/li>\n<li>C2 server host<\/li>\n<li>Remcos payload type (EXE or DLL)<\/li>\n<\/ul>\n<p>All above value fields are split by a separator &#8211; \u201c7C 1E 1E 1F 7C\u201d (shown as \u201c|\u2026|\u201d in string).<\/p>\n<p>As long as the C2 server receives this 4BH packet, it shows the victim in the \u201cConnection\u201d subtab, as shown in Figure 12. Since then the attacker can control the victim\u2019s device by just right clicking on the item (red box) and selecting the commands they wanted.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image_867490803.img.png\/1649207809912\/img-6.2.png\" alt=\"Figure 12: How C2 server looks when receiving a 4BH packet\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: How C2 server looks when receiving a 4BH packet<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Meanwhile, Remcos registers a callback function that parses the C2\u2019s commands and goes to an infinite loop to wait for the upcoming control commands from the attacker\u2019s C2 server.<\/p>\n<h2><b>Control Commands<\/b><\/h2>\n<p>From the registered callback function, we learned that this Remcos variant provides 87 control commands, which have been categorized in below groups:<\/p>\n<ul>\n<li><b>System<\/b>: Screen Capture, File Manager, File Search, Process Manager, etc.<\/li>\n<li><b>Surveillance<\/b>: Webcam, Microphone, Keylogger, Screenlogger, etc.<\/li>\n<li><b>Network<\/b>: Proxy, Downloader, Open Webpage, etc.<\/li>\n<li><b>Extra<\/b>: Dll Loader, Logins Cleaner, Audio Player, etc.<\/li>\n<li><b>Remcos<\/b>: Reconnect, Restart, Show, Update, Close, Uninstall, etc.<\/li>\n<li><b>Heartbeat packet<\/b><\/li>\n<\/ul>\n<p>The C2 server sends a heartbeat packet to Remcos every 40 seconds. Once Remcos has connected to the C2 server, the heartbeat makes sure this Remcos is alive. The C2\u2019s command packet has same format. I\u2019ll take the heartbeat packet as an instance to explain, which looks like:<\/p>\n<p><span style=\"font-size: 11.0pt;\"><span style=\"font-family: Calibri , sans-serif;\"><span style=\"font-size: 12.0pt;\"><span style=\"color: black;\">24 04 FF 00 0C 00 00 00 <span style=\"background-color: lime;\">01 00 00 00<\/span> <span style=\"background-color: yellow;\">30<\/span> <span style=\"background-color: rgb(127,140,141);\">7C 1E 1E 1F 7C<\/span> <span style=\"background-color: yellow;\">32 30<\/span><\/span><\/span><\/span><\/span><\/p>\n<p>After the packet magic ID (\u201c24 04 FF 00\u201d) and packet size (0x0C), \u201c01 00 00 00\u201d is heartbeat command number (0x01), and rest is command data being split by \u201c7C 1E 1E 1F 7C\u201d that are 30 (ASCII \u201c0\u201d) and 32 30 (ASCII \u201c20\u201d). Remcos then obtains the title of currently active window as well as a time value and sends them to the C2 server in packet number 4CH.<\/p>\n<p>The following is a control command list:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--3\">\n<p>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Besides the listed control commands, Remcos also has many sub-commands to support some of the control commands in sub-connections, like Service Manager command 34H with sub-commands: 03H to stop a service, 04H to pause a service, 01H to restart a service.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this analysis blog, I explained how a phishing email delivers an Excel document with malicious Macro into the victim\u2019s device.<\/p>\n<p>Next, we went through how it executes multiple VBS and Powershell scripts to download the Remcos payload as well as how the Remcos payload is deployed by a .Net Dll into the \u201cRegAsm.exe\u201d process via Process Hollowing.<\/p>\n<p>Then, I dissected Remcos\u2019s workflow according to its code and how a configuration block is decrypted from the PE resource section. I also explained how Remcos established connection to its C2 server.<\/p>\n<p>Finally, through several examples, I elaborated the structure of the control and command packets in plaintext as well as what commands Remcos is able to use to control the victim\u2019s device and the control command list.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>Fortinet customers are already protected from this malware by FortiGuard\u2019s Web Filtering, Antivirus, FortiMail, FortiClient, FortiEDR services, IPS services, and CDR (Content Disarm and Reconstruction) services, as follows:<\/p>\n<p>All relevant URLs have been rated as &quot;<b>Malicious Websites<\/b>&quot; by the FortiGuard Web Filtering service.<\/p>\n<p>The captured\u00a0Excel sample and the downloaded Remcos payload files are detected as &quot;<b>VBA\/Remcos.REM!tr<\/b> &quot; and &quot;<b>W32\/Rescoms.M!tr<\/b>&quot; and are blocked by the FortiGuard Antivirus service.<b><\/b><\/p>\n<p>FortiEDR detects both the Excel file and Remcos payload file as malicious based on its behavior.<\/p>\n<p>Fortinet also released IPS signature \u201cRemcos.Botnet\u201d to detect and block Remcos\u2019 C&amp;C traffic to protect our customers.<\/p>\n<p>FortiGuard Content, Disarm, and Reconstruction (CDR) can protect users from this attack by enabling the following option:<\/p>\n<ul>\n<li>Enable\/disable stripping of linked objects in Microsoft Office documents.<\/li>\n<\/ul>\n<p>In addition to these protections, Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:<\/p>\n<p>The <a href=\"https:\/\/www.fortinet.com\/products\/phishing-simulation\">FortiPhish Phishing Simulation Service<\/a> uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.<\/p>\n<p>In addition to these protections, we suggest that organizations also have their end users go through our FREE NSE training: <a href=\"https:\/\/www.fortinet.com\/products\/phishing-simulation\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from various types of phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<h3>URLs:<\/h3>\n<p>hxxp:\/\/209[.]127[.]19[.]101\/flip.vbs<\/p>\n<p>hxxp:\/\/209[.]127[.]19[.]101\/mem.txt<\/p>\n<p>hxxp:\/\/209[.]127[.]19[.]101\/faze.jpg<\/p>\n<p>shiestynerd[.]dvrlists[.]com:10174<\/p>\n<p>mimi44[.]ddns[.]net:2405<\/p>\n<p>harveyautos110[.]ddns[.]net:2404<\/p>\n<p>harveyautos111[.]hopto[.]org:2404<\/p>\n<p>harveyautos112[.]ddns[.]net:2404<\/p>\n<p>harvey205[.]camdvr[.]org:2404<\/p>\n<p>harvey206[.]casacam[.]net:2404<\/p>\n<p>harvey207[.]accesscam[.]org:2404<\/p>\n<p>23[.]226[.]128[.]197:2404<\/p>\n<p>achimumuazi[.]hopto[.]org:2311<\/p>\n<p>xhangzhi[.]duckdns[.]org:2404<\/p>\n<h3>Sample SHA-256 Involved in the Campaign:<\/h3>\n<p>[Excel Document]<\/p>\n<p>FBB0575DFD7C1CFE48FB3AA895FBE6C8A554F06899A7152D04CFC39D1D4744AD<\/p>\n<p>[Captured Remcos samples]<\/p>\n<p>8F6DD0DB9E799393A61D6C9CF6495C164E1B13CB8E6B153B32359D5F07E793D2<br \/> DA609D3211D60D5B11FEAEAA717834CBE86E18103A1ED4FC09C2EE3E1CFF9442<br \/> 737E11913EFB64ACCF1B88532C7CE8606676684D8364DDD027926F9FFC6ECFFB<br \/> B263876EBC01B310A8BFC58477523981184EB7E8F2DC955F0CF8E62124EB679A<br \/> 2C8B78FC6C4FE463DAC9D39FDE2871F1BB2605453BC0F2D57C7549CF5D07AA86<br \/> A1A1395D0602A473FCC81BA7D1D90C3FB154321D1721E0069722B902B1057CB0<br \/> 6B816D84ACCC3E1EBCE3EF55B64B0C5E0485228790DF903E68466690E58B5009<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/latest-remcos-rat-phishing\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/latest-remcos-rat-phishing\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649207001819\/imggg.png\"\/><br \/>FortiGuard Labs analyzes how a phishing campaign delivers the Remcos RAT onto a victim\u2019s device, how it executes on the device, the sensitive information it steals from the victim, as well as the commands this Remcos RAT uses to control the victim&#8217;s device. Read to learn more.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18689","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18689"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18689\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18689"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}