This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • FirstWatch Threat Spotlight – Remcos RAT

FirstWatch Threat Spotlight – Remcos RAT

manojpilli
Contributor manojpilli Contributor
Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2023-08-22 09:00 AM

Summary:

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a Germany-based firm called Breaking Security. Remcos has been observed being used in malware campaigns with a wide array of functionalities.

On the Breaking Security website, Remcos or Remote Control and Surveillance tool, is marketed as a professional and legitimate tool for remotely managing Windows systems but it is now widely used in multiple malicious campaigns by threat actors. Remcos RAT is a sophisticated remote access Trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards. On this webpage, it provides two versions: professional edition (with all features included) and free edition (with restricted features).

Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016.

Remcos RAT is designed to be stealthy and evasive, making it difficult for antivirus software and other security measures to detect and remove it. It is typically delivered through social engineering techniques, such as phishing emails or malicious downloads.

Features / Capabilities:

Once installed on a victim's system, Remcos RAT provides the attacker with a wide range of capabilities, including:

  • System: Screen Capture, File Manager, File Search, Process Manager, etc.

  • Surveillance: Webcam, Microphone, Keylogger, Screenlogger, etc.

  • Network: Proxy, Downloader, Open Webpage, etc.

  • Others: Dll Loader, Logins Cleaner, Audio Player, etc.

  • Heartbeat packet: Provides an inter-nodal communication packet.

  • Unauthorized Access: Attackers can gain complete control of the victim's computer remotely, allowing them to access files, folders, and applications as if they were physically present at the machine.

  • Ransomware Deployment: In some cases, attackers may use Remcos RAT to deliver and install ransomware on the victim's system, encrypting their files and demanding a ransom for decryption.

  • Banking Fraud: Remcos RAT can be used to perform fraudulent transactions by gaining access to the victim's online banking accounts.

  • Network Scanning: Remcos RAT can scan the local network to identify other vulnerable devices.

  • DDoS Attacks: Some versions of Remcos RAT have been known to include DDoS capabilities, allowing attackers to use the compromised machines as part of a botnet to launch distributed denial-of-service attacks.

  • Spreading Malware: Attackers can use Remcos RAT as a gateway to drop additional malware onto the victim's system, infecting it with more harmful software.

  • Privilege Escalation: Remcos RAT may be used to escalate privileges on the compromised system, enabling the attacker to gain administrator or root access for more control over the device.

  • Keylogging: Remcos RAT can capture all keystrokes made by the victim, including login credentials, credit card numbers, and other sensitive information. This enables attackers to steal valuable data.

  • File Management: Attackers can access, download, and upload files on the compromised system, potentially stealing sensitive data or dropping additional malware.

  • Surveillance: Remcos RAT can remotely enable the victim's webcam and microphone, allowing attackers to spy on the victim's activities and conversations.

  • Screen Capture: Attackers can take screenshots of the victim's desktop, providing them with visual information about the victim's activities and potentially sensitive data.

Please refer to below images for more features/capabilities of Remcos RAT

manojpilli_0-1692704990519.png

                         Figure 1: Surveillance capabilities of Remcos RAT.

manojpilli_1-1692705134198.png

                               Figure 2: System capabilities of Remcos RAT.

Detection:

There are many articles on the internet covering how Remcos RAT can be delivered. Here in this article, I will be covering what happens when Remcos RAT is being run on the victim host and the ways attackers can use this RAT to get the system information, along with NetWitness detections covering several of it's typical activities. 

 

Activities done by Remcos RAT during initial execution on the victim device:

  • Geo-location: Remcos RAT will try to get the victim machine geo location to register with attackers by sending a get request to geoplugin.net for location check by the infected Windows host.

                     manojpilli_0-1692705441197.jpeg

                                                         Figure: Geo-location capabilities of Remcos RAT

          NetWitness can detect this activity with the rule "Host traffic to external IP checker”.

 

  • Persistence: The malware adds a Startup registry key at “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” for it to become persistent when the device affected has been restarted. This path can be changed during the agent build process.

         NetWitness can detect this activity with "Remcos RAT Persistence registry entry". 

 

  • During the installation of this software a specific registry key is set in place related to the licensing of this software. The rule "Remcos rat creates run key" detects agent/client install at the compromised host. With custom monitoring of these registry entries, we can get to know if the host is compromised with remcos or not as shown in the below image.

         manojpilli_1-1692705441220.png

                                           Figure 3: Remcos RAT registry entry along with Netwitness detection.

         

Detecting sensitive information that, it could steal from a victim's machine.

  • DxDiag: DirectX Diagnostic Tool (DxDiag) is a diagnostics tool used to test DirectX functionality and troubleshoot video- or sound-related hardware problems. DirectX Diagnostic can save text files with the scan results which contains current DirectX version, the computer's hostname, the operating system's version, information on the system BIOS, and other data. AS it is legitimate tool to use on windows machine, Remcos RAT exploits Dxdiag to obtains the above-mentioned information. 

    manojpilli_0-1692804315741.jpeg

            Figure 4: Detection of the activity "Enumeration of System Information using Dxdiag"

  • Keylogging: This Remcos RAT has another feature for keylogging and grabbing the clipboard data that will be placed in the%appdata%\remcos folder named as logs.dat file. It also serves as a debug log for Remcos RAT for actions like clearing browser history and so on. Below is the snippet of logs.dat while testing this feature. [References [3]]

         manojpilli_3-1692705763139.png

                Figure 5: Remcos RAT keylogging capabilities

         With the rule “Remcos RAT keylog File Creation” Netwitness can detect this activity.

  • Audio Recording: Remcos RAT can record the victim’s audio input from an input device ( microphone). This behavior was seen in multiple Remcos RAT malware samples where it put the audio recording in the appdata\audio folder as part of data collection. This recording can be sent to its C2 server as part of its exfiltration to the compromised machine. Creation of wav files in this folder path is not a usual place for the user to save an audio format file.

    The rule “Suspicious audio file creation in temporary folders” can detect a suspicious creation of .wav file in appdata folder.                

              

  • Screenshots: The attacker can capture a screenshot of the compromised machine and place it in the appdata folder, where it will be sent to its C2 server. This TTP is really a good indicator to check that process because it is in suspicious folder path and image files are not commonly created by a user in this folder path.

    The rule “Suspicious image file creation in temp folders” can detect a suspicious creation of .wav file in appdata folder.

  • UAC Bypass: This RAT can Bypass UAC by modifying the "EnableLua" registry value to disable UAC on the compromised machine.

    The rule “Silently accepting end user license” detects any application accepting end user license agreement on a Windows host.

 

Remcos C2 Console usage Detection:

DNS Query: A specific DNS query was also detected during the installation process, specifically directed towards p4-preview.runhosting.com. Some other products from the same vendor have also been observed in this domain as well. 

manojpilli_0-1692706256723.jpeg

                                                                 Figure 6

manojpilli_1-1692706256730.jpeg

                                                          Figure 7

NetWitness Detections

After analyzing samples from various sources and referring to research articles, following are existing NetWitness Detections that aid in identifying not just Remcos RAT’s malicious activity, but other adversaries as well that might be part of similar techniques.

 

Application Rules (Endpoint):

          boc = "Disables UAC"
          boc = "Potential Windows User Account Control Bypass"
          boc = "Creates Run Key"
          boc = "Windows Executable Runs Command Shell"
          boc = "Lists Directory Structure of a Path"
          boc = "Disables UAC Remote Restrictions"
          boc = "unsigned writes executable to appdatalocal directory"

          boc = "Host Traffic to External IP Checker"

 

In addition to the existing content, we have also created new rules as mentioned above to better detect host and network activity related to Remcos RAT. All of the following are currently available from NetWitness Live. After deploying/importing these rules on to NetWitness stack, these can be seen under Investigate -> Navigate upon detecting any Remcos RAT related activity on the customer environment.


          boc = "enumeration_of_sys_info_using_dxdiag"                (App Rule - Endpoint)
          boc = "remcos_rat_c2_console_usage_detected"              (App Rule - Packet)
          boc = "remcos_rat_creates_run_key"                                 (App Rule - Endpoint)
          boc = "remcos_rat_keylog_file_creation"                            (App Rule - Endpoint)
          boc = "remcos_rat_persistence_registry_entry"                 (App Rule - Endpoint)
          boc = "suspicious_audio_file_creation_in_temp_folders"   (App Rule - Endpoint)
          boc = "suspicious_image_file_creation_in_temp_folders"  (App Rule - Endpoint)
          [Community] Remcos RAT YARA Rules

 

MITRE ATT&CK Information:

Tactic

T. ID

Technique Name

Activity

Persistance

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Remcos can launch a remote command line to execute commands on the victim’s machine.

T1059.006

Command and Scripting Interpreter: Python

Remcos uses Python scripts.

Defence Evasion

T1112

Modify Registry

Remcos has full control of the Registry, including the ability to modify it.

T1027

Obfuscated Files or Information

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

Remcos has a command for UAC bypassing.

T1055

Process Injection

Remcos has a command to hide itself through injecting into another process.

Discovery

T1083

File and Directory Discovery

Remcos can search for files on the infected machine.

T1497.001

Virtualization/Sandbox Evasion: System Checks

Remcos searches for Sandboxie and VMware on the system.

Collection

T1123

Audio Capture

Remcos can capture data from the system’s microphone.

T1115

Clipboard Data

Remcos steals and modifies data from the clipboard.

T1056.001

Input Capture: Keylogging

Remcos has a command for keylogging.

T1113

Screen Capture

Remcos takes automated screenshots of the infected machine.

T1125

Video Capture

Remcos can access a system’s webcam and take pictures.

Command and Control

T1090

Proxy

Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.

T1105

Ingress Tool Transfer

Remcos can upload and download files to and from the victim’s machine.



Conclusion:

Remcos or Remote Control and Surveillance, marketed as a legitimate software by Germany-based Breaking Security for remotely managing Windows systems is now widely used in multiple malicious campaigns by threat actors. Remcos RAT is a sophisticated remote access Trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards.

Currently many threat actors are utilizing social engineering techniques to deliver this payload. It is our responsibility to prevent and detect the activities done by threat actors using Remcos RAT.

In this blog, we examined Remcos RAT and how it can be used by threat actors to gain access to victim’s host. Next, we covered its features and capabilities in detail through activities done during installation and operation, and NetWitness detections for them as well as C2 console usage detection. Finally, we listed Mitre attack framework TTP's for Remcos RAT.

References:

[1] Remcos, Software S0332 | MITRE ATT&CK 

[2] The Latest Remcos RAT Driven By Phishing Campaign | FortiGuard Labs

[3] Detecting Remcos Tool Used by FIN7 with Splunk | Splunk

[4] Remcos - Splunk Security Content

[5] Remcos | Remote Control & Surveillance Software

[6] Triage

[7] Remcos Malware Analysis, Overview by ANY.RUN


Labels:
  • Announcements
  • Resources
  • Tutorials
  • Use Cases
  • Malware
  • Remcos RAT
  • Threat Intelligence
  • threat research
  • Threat Spotlight
  • Windows
2 Likes

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Advanced HTTP and TLS Concepts (Video)
  • Using NetWitness to Detect Command and Control: SILENTTRINITY C2
  • FirstWatch Threat Spotlight – Remcos RAT
  • FirstWatch Threat Spotlight: The LockBit Conundrum - A Glimpse into Ransomware Warfare
  • Content Hygiene – Application Rule Alert Mapping Updates
  • Microsoft Azure Log Analytics workspace integration with Netwitness
  • FirstWatch Threat Spotlight: Cryptonite Ransomware
  • Deployment Inventory (Serial Numbers)
  • The History of APT10
  • Integration of Symantec Endpoint Security with Netwitness Platform
Labels
  • Announcements 63
  • Events 8
  • Features 11
  • Integrations 12
  • Resources 66
  • Tutorials 31
  • Use Cases 27
  • Videos 118
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.