Shulou(Shulou.com)05/31 Report--

How to analyze Remcos RAT variants in phishing email? in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

In July 2019, we found a phishing email disguised as a new order notification with a malicious attachment that could lead to the execution of the malware Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack uses AutoIt to encapsulate and spread it, and uses a variety of obfuscation and anti-debugging techniques to avoid detection.

The emergence of Remcos RAT dates back to 2016, when it was advertised and sold as a paid service in hacker forums, and cracked versions of the tool were once available on many websites and forums. To this day, Remcos is still a common tool for cyber criminals and continues to promote its development. In 2017, we found a sample of Remcos spread through malicious PowerPoint slides with a built-in exploit method numbered CVE-2017-0199. Recently, Remcos has started using phishing email to spread widely again.

The malicious attacker behind the phishing email uses the mailbox rud-division@alkuhaimi [.] com (legitimate domain name) and the subject of "RE: NEW ORDER 573923". Malicious attachments contained in the message use the ACE compressed file format, "Purchase order201900512.ace", and can be loaded and encapsulated through Boom.exe.

Wrapper / loader analysis

After the executable file is converted into AutoIt script, we find that the malicious code is protected by multiple confusion, which may be to avoid detection and make it more difficult for researchers to reverse it. The top-level method of confusion is as follows:

Figure 1 key functions after confusion

Figure 2 to confuse the functions used

The main purpose of Boom.exe is to achieve persistence, as well as to perform reverse analysis detection and release / execute Remcos RAT in infected systems. The above code snippet first calculates the values in the array, and then uses the ChrW () function to convert Unicode numbers into ASCII characters.

Fig. 3 sample string decoding

In some cases, the malware uses AutoIt's BinaryToString () function to decrypt the next layer of confusion after decryption. The following code snippet shows this behavior:

Figure 4 using the AutoIt function to decode the binary to a string

After confusing the AutoIt code, you can see a lot of junk code, which is intended to distract the analyst.

Figure 5 example of junk code

The malware then copies itself to% AppData%\ Roaming\ appidapi\ UevTemplateBaselineGenerator.exe, and then loads the main payload (Remcos RAT) from its resource segment. The malware then prepares the environment to perform the major payload, which is achieved by executing the following Shellcode (frenchy_shellcode version 1)

Figure 6 Frenchy_ShellCode_001

Figure 7 execute and decode Frenchy Shellcode

Fig. 8 Frenchy Shellcode variant

Decode and load Remcos from a resource

The DecData () function loads data from its resource segment, then reverses all the data and replaces "% $=" with "/".

Figure 9 uses AutoIt to decode the main payload: code + encoded resources

Figure 10 AutoIt decoding main payload: only code

Then base64 decrypt the PE file using the following code, and the PE file is the main payload:

$a_call = DllCall ("Crypt32.dll", "int", "CryptStringToBinary", "str", $sData, "int", 0, "int", 1, "ptr", 0, "ptr", DllStructGetPtr ($struct, 1), "ptr", 0, "ptr", 0)

Figure 11 Decoding Remcos from AutoIt

Loader function anti-virtual machine

The AutoIt loader can detect the virtual machine environment by checking whether vmtoolsd.exe and vbox.exe are included in the list of running processes. However, it is worth noting that this function is not invoked in the sample.

Figure 12 Anti-virtual machine code for the AutoIt loader

UAC bypass

Depending on the Windows version, the malware chooses to use the built-in Event Viewer component (eventvwr) or fodhelper to bypass user account control (UAC).

Figure 13 UAC Bypass

Anti-debugging

If the loader detects that the IsdebuggerPresent return value of the system API is 1, it will display "This is a third-party compiled AutoIt script." And exit the program.

Figure 14 the code for the AutoIt loader to check for the existence of the debugger

Remcos RAT main load

Remcos RAT was originally sold as a formal and legal remote access tool for users to remotely control the system, but recently it has become a criminal weapon for cyber criminals. Once the RAT is executed, the intruder has the ability to execute remote commands on the user's system. For example, in the previous promotion, it was shown that the tool has versatile features, including downloading and executing commands, keyrecording, screen recording, and recording and recording using cameras and microphones.

In order to analyze this load, we studied the sample of Remcos Professional version 1.7.

Figure 15 Remcos version

When executed, the malware produces a copy of itself according to the configuration and places it in% AppData%\ remcos\ remcos.exe, and uses the install.bat script to execute remcos.ex$, in the% APPDATA% directory for self-deletion. The following Run key values are then created in the registry to ensure persistence in the system.

Figure 16 Install.bat released by Remcos

Figure 17 Remcos RAT changes registry keys to achieve residency

Figure 18 changes to the registry in the Remcos RAT code

The malware extracts a configuration named "SETTING" from its resource segment.

Figure 19 Remcos loads encryption configuration from its resources

The contents of the configuration file are encrypted using the RC4 encryption algorithm, as follows:

Figure 20 Remcos encryption configuration

The following is the RC4 decryption algorithm used to decrypt the above configuration:

Figure 21 RC4 algorithm for decryption configuration

Figure 22 decryption configuration

The malware then creates the following mutex to mark that it already exists in the system:

Figure 23 Remcos RAT mutex

Then, start collecting system information, such as user name, computer name, Windows version, and so on, and send this information to the client C server. The malware uses the RC4 algorithm to encrypt the collected information, and the password "pass" is also obtained from the configuration file.

Figure 24 Remcos collects system information

The following list shows some of the commands supported by the malware:

Table 1 Remcos RAT commands

After analyzing this Remcos variant-- its profile, communication mechanism, and functional analysis-- we found that there are many similarities between this sample and the previous version of the variant (detected as Backdoor.Win32.Remcosrat.A). But this particular sample uses AutoIt to encapsulate Remcos and uses different obfuscation and anti-debugging techniques to avoid detection.

Preventive measures and solutions

To defend against email-based attacks like Remcos RAT, we recommend that users avoid opening messages of unknown origin-especially those with attachments-from unknown senders. Users also need to think twice before clicking URL to prevent malware infection. For enterprises, if they suspect that there is abnormal behavior in the system, they need to report to the network administrator immediately. We also recommend the following additional protective measures:

1. Learn how to identify phishing emails and master the characteristics of malicious emails (such as typos, rare words, etc.)

2. Update applications and systems frequently

3. Use whitelist, block unused ports, and disable unused components.

4. Monitor the traffic in the system to find abnormal behavior

IoCs

This is the answer to the question on how to analyze the Remcos RAT variants in the phishing email. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.