NetWitness Community

Summary:

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a Germany-based firm called Breaking Security. Remcos has been observed being used in malware campaigns with a wide array of functionalities.

On the Breaking Security website, Remcos or Remote Control and Surveillance tool, is marketed as a professional and legitimate tool for remotely managing Windows systems but it is now widely used in multiple malicious campaigns by threat actors. Remcos RAT is a sophisticated remote access Trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards. On this webpage, it provides two versions: professional edition (with all features included) and free edition (with restricted features).

Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016.

Remcos RAT is designed to be stealthy and evasive, making it difficult for antivirus software and other security measures to detect and remove it. It is typically delivered through social engineering techniques, such as phishing emails or malicious downloads.

Features / Capabilities:

Once installed on a victim's system, Remcos RAT provides the attacker with a wide range of capabilities, including:

• System: Screen Capture, File Manager, File Search, Process Manager, etc.
  
  
• Surveillance: Webcam, Microphone, Keylogger, Screenlogger, etc.
  
  
• Network: Proxy, Downloader, Open Webpage, etc.
  
  
• Others: Dll Loader, Logins Cleaner, Audio Player, etc.
  
  
• Heartbeat packet: Provides an inter-nodal communication packet.
  
  
• Unauthorized Access: Attackers can gain complete control of the victim's computer remotely, allowing them to access files, folders, and applications as if they were physically present at the machine.
  
  
• Ransomware Deployment: In some cases, attackers may use Remcos RAT to deliver and install ransomware on the victim's system, encrypting their files and demanding a ransom for decryption.
  
  
• Banking Fraud: Remcos RAT can be used to perform fraudulent transactions by gaining access to the victim's online banking accounts.
  
  
• Network Scanning: Remcos RAT can scan the local network to identify other vulnerable devices.
  
  
• DDoS Attacks: Some versions of Remcos RAT have been known to include DDoS capabilities, allowing attackers to use the compromised machines as part of a botnet to launch distributed denial-of-service attacks.
  
  
• Spreading Malware: Attackers can use Remcos RAT as a gateway to drop additional malware onto the victim's system, infecting it with more harmful software.
  
  
• Privilege Escalation: Remcos RAT may be used to escalate privileges on the compromised system, enabling the attacker to gain administrator or root access for more control over the device.
  
  
• Keylogging: Remcos RAT can capture all keystrokes made by the victim, including login credentials, credit card numbers, and other sensitive information. This enables attackers to steal valuable data.
  
  
• File Management: Attackers can access, download, and upload files on the compromised system, potentially stealing sensitive data or dropping additional malware.
  
  
• Surveillance: Remcos RAT can remotely enable the victim's webcam and microphone, allowing attackers to spy on the victim's activities and conversations.
  
  
• Screen Capture: Attackers can take screenshots of the victim's desktop, providing them with visual information about the victim's activities and potentially sensitive data.

Please refer to below images for more features/capabilities of Remcos RAT

                         Figure 1: Surveillance capabilities of Remcos RAT.

                               Figure 2: System capabilities of Remcos RAT.

Detection:

There are many articles on the internet covering how Remcos RAT can be delivered. Here in this article, I will be covering what happens when Remcos RAT is being run on the victim host and the ways attackers can use this RAT to get the system information, along with NetWitness detections covering several of it's typical activities. 

Activities done by Remcos RAT during initial execution on the victim device:

• Geo-location: Remcos RAT will try to get the victim machine geo location to register with attackers by sending a get request to geoplugin.net for location check by the infected Windows host.
  
  

                                                         Figure: Geo-location capabilities of Remcos RAT

          NetWitness can detect this activity with the rule "Host traffic to external IP checker”.

• Persistence: The malware adds a Startup registry key at “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” for it to become persistent when the device affected has been restarted. This path can be changed during the agent build process.

         NetWitness can detect this activity with "Remcos RAT Persistence registry entry". 

• During the installation of this software a specific registry key is set in place related to the licensing of this software. The rule "Remcos rat creates run key" detects agent/client install at the compromised host. With custom monitoring of these registry entries, we can get to know if the host is compromised with remcos or not as shown in the below image.

                                           Figure 3: Remcos RAT registry entry along with Netwitness detection.

Detecting sensitive information that, it could steal from a victim's machine.

• DxDiag: DirectX Diagnostic Tool (DxDiag) is a diagnostics tool used to test DirectX functionality and troubleshoot video- or sound-related hardware problems. DirectX Diagnostic can save text files with the scan results which contains current DirectX version, the computer's hostname, the operating system's version, information on the system BIOS, and other data. AS it is legitimate tool to use on windows machine, Remcos RAT exploits Dxdiag to obtains the above-mentioned information. 
  
  

          Figure 4: Detection of the activity "Enumeration of System Information using Dxdiag"
  
  

• Keylogging: This Remcos RAT has another feature for keylogging and grabbing the clipboard data that will be placed in the%appdata%\remcos folder named as logs.dat file. It also serves as a debug log for Remcos RAT for actions like clearing browser history and so on. Below is the snippet of logs.dat while testing this feature. [References [3]]

                Figure 5: Remcos RAT keylogging capabilities

         With the rule “Remcos RAT keylog File Creation” Netwitness can detect this activity.

• Audio Recording: Remcos RAT can record the victim’s audio input from an input device ( microphone). This behavior was seen in multiple Remcos RAT malware samples where it put the audio recording in the appdata\audio folder as part of data collection. This recording can be sent to its C2 server as part of its exfiltration to the compromised machine. Creation of wav files in this folder path is not a usual place for the user to save an audio format file.
  
  The rule “Suspicious audio file creation in temporary folders” can detect a suspicious creation of .wav file in appdata folder.                

• Screenshots: The attacker can capture a screenshot of the compromised machine and place it in the appdata folder, where it will be sent to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by a user in this folder path.
  
  The rule “Suspicious image file creation in temp folders” can detect a suspicious creation of .wav file in appdata folder.
  
  

• UAC Bypass: This RAT can Bypass UAC by modifying the "EnableLua" registry value to disable UAC on the compromised machine.
  
  The rule “Silently accepting end user license” detects any application accepting end user license agreement on a Windows host.

Remcos C2 Console usage Detection:

DNS Query: A specific DNS query was also detected during the installation process, specifically directed towards p4-preview.runhosting.com. Some other products from the same vendor have also been observed in this domain as well. 

                                                                 Figure 6

                                                          Figure 7

NetWitness Detections

After analyzing samples from various sources and referring to research articles, following are existing NetWitness Detections that aid in identifying not just Remcos RAT’s malicious activity, but other adversaries as well that might be part of similar techniques.

Application Rules (Endpoint):

          boc = "Disables UAC"
          boc = "Potential Windows User Account Control Bypass"
          boc = "Creates Run Key"
          boc = "Windows Executable Runs Command Shell"
          boc = "Lists Directory Structure of a Path"
          boc = "Disables UAC Remote Restrictions"
          boc = "unsigned writes executable to appdatalocal directory"

          boc = "Host Traffic to External IP Checker"

In addition to the existing content, we have also created new rules as mentioned above to better detect host and network activity related to Remcos RAT. All of the following are currently available from NetWitness Live. After deploying/importing these rules on to NetWitness stack, these can be seen under Investigate -> Navigate upon detecting any Remcos RAT related activity on the customer environment.

          boc = "enumeration_of_sys_info_using_dxdiag"                (App Rule - Endpoint)
          boc = "remcos_rat_c2_console_usage_detected"              (App Rule - Packet)
          boc = "remcos_rat_creates_run_key"                                 (App Rule - Endpoint)
          boc = "remcos_rat_keylog_file_creation"                            (App Rule - Endpoint)
          boc = "remcos_rat_persistence_registry_entry"                 (App Rule - Endpoint)
          boc = "suspicious_audio_file_creation_in_temp_folders"   (App Rule - Endpoint)
          boc = "suspicious_image_file_creation_in_temp_folders"  (App Rule - Endpoint)
          [Community] Remcos RAT YARA Rules

MITRE ATT&CK Information:

Conclusion:

Remcos or Remote Control and Surveillance, marketed as a legitimate software by Germany-based Breaking Security for remotely managing Windows systems is now widely used in multiple malicious campaigns by threat actors. Remcos RAT is a sophisticated remote access Trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards.

Currently many threat actors are utilizing social engineering techniques to deliver this payload. It is our responsibility to prevent and detect the activities done by threat actors using Remcos RAT.

In this blog, we examined Remcos RAT and how it can be used by threat actors to gain access to victim’s host. Next, we covered its features and capabilities in detail through activities done during installation and operation, and NetWitness detections for them as well as C2 console usage detection. Finally, we listed Mitre attack framework TTP's for Remcos RAT.

References:

[1] Remcos, Software S0332 | MITRE ATT&CK 

[2] The Latest Remcos RAT Driven By Phishing Campaign | FortiGuard Labs

[3] Detecting Remcos Tool Used by FIN7 with Splunk | Splunk

[4] Remcos - Splunk Security Content

[5] Remcos | Remote Control & Surveillance Software

[6] Triage

[7] Remcos Malware Analysis, Overview by ANY.RUN