Remcos is a legitimate commercial Remote Access Tool (RAT) created by the security company Breaking Security. It was first released in 2016 but started being used for malicious purposes during 2017.
This is a powerful tool that grants the capability of comprehensive remote surveillance including keylogging, activating cameras, taking screenshots, capturing audio, and monitoring clipboard activity. It allows threat actors to quietly transfer files to and from the client machine, execute scripts, create shells, list all installed software, edit registry and more. Basically, a hacker’s dream.
Widely used by malicious actors, this tool is mostly delivered via phishing campaigns. While just last year an analysis of version 3.4.0 was published by Fortinet, we recently observed version 4.2.0, which was released in December 20, 2022 , being used by threat actors.
Remcos RAT Dropper
The Remcos dropper sample we investigated was an NSIS installer file, with a free icon (probably to make the malware more attractive for the victim):
Figure 1 – Remcos Dropper Icon
During installation, three files are dropped to the victim’s %temp% folder:
- luxdclttdd.exe – used to decrypt the Remcos payload injector.
- cvtepgqsfb.ve – the compressed Remcos payload.
- mxthmaqtcrk.fam – XOR encrypted decompressor and injector of the Remcos payload.
Figure 2 – Dropped files.
Next, the injector file is executed using following command: “C:\Users\Username\AppData\Local\Temp\luxdclttdd.exe” C:\Username\ZooRE\AppData\Local\Temp\mxthmaqtcrk.fam”.
luxdclttdd.exe decompresses the Remcos payload and injects it into a new instance of itself by using the Process Hollowing technique. However, unlike most Remcos samples in the wild, this one implements this technique differently, in a way allows it to bypass security solutions. In general, there are several ways to perform the Process Hollowing technique. Our sample uses a process hollowing variant which usies NtCreateSection + NtMapViewOfSection + ResumeThread with a small twist: the API calls mentioned above were switched to direct syscalls – to bypass detection . Therefore, the Process Hollowing implementation in our case includes the following API calls:
- CreateProcessW – luxdclttdd.exe executed in a suspended state.
- NtCreateSection – called by direct syscall (0x004a)
- NtMapViewOfSection – called by direct syscall (0x0028)
- NtWriteVirtualMemory – called by direct syscall (0x003a)
- NtResumeThread – called by direct syscall (0x0052)
Figure 3 – Direct Syscall Function
The NtCreateSection and NtMapViewOfSection API are used to implement another known but less frequently used memory injection technique. By changing part of the API calls and using direct syscalls, this implementation of evasion techniques like Process Hollowing is likely to confuse and bypass security products that rely on a specific set of API calls for detection. Last year we observed a BlueStealer loader implementing a similar technique.
Remcos Privilege Escalation
When building a Remcos agent, the threat actor can enable a privilege escalation capability, which Remcos performs in two ways:
- Disabling the User Account Control (UAC – a security feature that prevents an application from executing with higher privileges without the user’s permission) feature by changing (or adding a new value) ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA’ to ‘0’. In Remcos’s case this is performed by executing the following command: “cmd.exe /k %windir%\System32\reg.exe ADD HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f”:
Figure 4 – Disabling UAC feature.
- Eventvwr.exe UAC bypass – this is an uncommon UAC bypass technique previously used by the fareit malware. This bypass is done in two stages:
- Adding the malware path into HKCU\Software\Classes\mscfile\shell\open\command Default value.
- Executing Eventvwr.exe.
Eventvwr.exe (Microsoft’s Event Viewer) is a tool used to view application and system logs for monitoring and troubleshooting. Event Viewer needs to execute mmc.exe (Microsoft Management Console, which serves as an interface for Windows administrative tools) to work. To do this it queries two registry keys, one of which is the registry key added by our malware. So, by changing the registry key, our malware causes Event Viewer to execute it, instead of MMC. When executed by Event Viewer, the child process (the malware in our case) will inherit its privileges. Its worth mentioning that this technique was discovered in 2016 and fixed by Microsoft in 2019.
More Evasion Techniques
- Remcos uses the Dynamic Imports technique. This is a common technique used by many malware samples to evade detection by static analysis-based tools.
- Remcos changes data execution prevention (DEP) emulation settings for 32-bit processes by using the SetProcessDEPPolicy API call. Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. Some malicious code attacks try to insert and run code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.
Minerva Armor’s Anti Ransomware solution inherently prevents memory injection and process hollowing techniques before they can make any progress. This effectively stops Remcos RAT in its initial stages before any damage was made and before the threat actor could gain any access to the machine. This is also how we were able to locate and analyze this sample.
Figure 5 – Prevention By Minerva
T1056.001 – Input Capture: Keylogging
T1115 – Clipboard Data
T1123 – Audio Capture
T1113 – Screen Capture
T1021 – Remote Services
T1112 – Modify Registry
T1543.003 – Create or Modify System Process: Windows Service
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
T1055.012 – Process Injection: Process Hollowing
T1059 – Command and Scripting Interpreter
T1105 – Ingress Tool Transfer
- 20d412f4c2d2cf23a735109ee712e5df0c03e7ed6b16c0d9f61cff2f4be77549 – NSIS installer
- 4743756A524FE3A4394D256F9BBF1CD91A9F00ABD29187C41E7C90ABF0E2D83D – luxdclttdd.exe
- 283E0FF5B563BC8E1C24EE4715E25D80D31B32CE2DF8474C4D456FB6FAFE168A – cvtepgqsfb.ve
- 124FFF90BBF42684C4BA8BCEC89F0DDE36AAA348C2FC75471E4A92AE5AC57A68 – mxthmaqtcrk.fam