Remcos RAT is a malware classified as a Remote Access Trojan. This means that it is usually used by threat actors to control infected PCs remotely or spy on users by capturing keystrokes, watching them through their webcam, or even listening to their microphone. 

Through Remcos RAT, threat actors can remotely execute malicious tasks on a user’s computer and steal any sensitive data that is available to them.

Read on to learn about Remcos RAT’s attack chain and the deeper implications of this malware’s capabilities.

The Phishing Email

Like most attacks these days, Remcos RAT’s payload is delivered via email, the number one attack vector for cyberattacks.

The user receives an email, posing as an urgent invoice request. In the text of the message, the sender urges the recipient to open the attached invoice, which is actually an embedded URL in a picture. Once the user clicks on the attachment, they are redirected to a OneDrive automated download which triggers the initial payload.

There are several warning signs within the email to indicate that it may be malicious: 1) the subject line is generic, 2) the sender originates from a Gmail address, indicating it is not affiliated with an official company, 3) the message itself is concise with the clear goal of prompting the reader to click on the attachments.

Remcos RAT email

Figure 1: The email with the fake invoice attachments, requesting an invoice (Slovenian).

The Remcos RAT Attack Flow

Now, let’s review the components of the attack, breaking it down step by step. Below, you can see a visual map of the steps involved in the attack:

Remcos RAT attack flow

Figure 2: The attack flow

Stage 1: Once the user clicks on the OneDrive URL, an ace type archive is automatically downloaded; inside of it we can find Faktura 9382022.vbs.

Stage 2: While Faktura 9382022.vbs is being executed, it downloads an additional payload located on one of the threat actor servers (GH2.jpg).

Stage 3: GH2.jpg (a JavaScript file) is then executed, containing inside of it and evoking an embedded PowerShell script.

Stage 4: The PowerShell script creates an alias for IEX (set to the char: “P”) and downloads an additional payload located on the same server from Stage 2 (GH1.jpg).

Stage 5: GH1.jpg (a PowerShell file) contains two embedded files: Sneaky.dll and archived Remcos. During the execution process of the script, the dll is invoked.

Stage 6: Next, Sneaky.dll loads the archived Remcos malware, unpacks it from the archive, and injects it into RegAsm.exe (a legitimate Microsoft .NET executable).

Stage 7: The injected Remcos RAT connects with the threat actor’s C2 server and waits for C&C instructions.

Keep reading for a detailed analysis of the files and commands used throughout the attack.

Initial Access

The initial VBScript, “Faktura 9382022.vbs”, is heavily obfuscated, containing several replacement functions and some “clean bytes” in order to pass static analysis engines (such as VirusTotal):

Remcos RAT

Figure 3: Faktura 9382022.vbs

After cleaning the script we can see that the script has two main functions. The first is copying itself to the startup folder of the user’s computer (in order to maintain persistence): 

Remcos RAT

Figure 4: Function 1

The second thing that the script does is create a MSXML document. By using the load method within, the script executes an additional payload located on a remote server (hxxps[://]solutionias[.]com/bin/GH2[.]jpg):

Remcos RAT


Figure 5: Function 2 

Unwrapping the Obfuscations

If we manually navigate to the threat actor’s server, we can see that this is not a picture  but  rather an xsl file containing JavaScript script:

Remcos RAT

Figure 6: JavaScript script

Within the script, you can see a large string passed to a certain function. When you look at the string itself, you can see that the script has a HEX-type string structure:

Remcos RAT

Figure 7: HEX string

We input this string to CyberChef and applied the “From HEX” recipe to give us a brand new obfuscated PowerShell command:

Remcos RAT

Figure 8: The new PowerShell command

When analyzing the PowerShell script further, the threat actor does something unique: he creates a new alias for the IEX (Invoke-Expression) command. By doing this he can call the IEX command without writing down IEX, which can help the attack bypass static AV detection:

Remcos RAT

Figure 9: The new alias for the IEX command

As we’ve already seen, this PowerShell script also contains a variable with a binary-type string. When you take this string to CyberChef and apply “From Binary” (delimiter: comma, Byte Length: 8), the output gives us a new obfuscated PowerShell script:

Remcos RAT

Figure 10: the new obfuscated PowerShell script

Once we cleaned up the script, we noticed three main things occurring:

  • The script sets up the security protocol to be TLS 1.2.
  • It alerts Google to ensure that the protocol configuration works.
  • It creates a WebClient object to download and invoke the additional payload located on the same remote server as we previously observed (hxxps[://]solutionias[.]com/bin/GH1[.]jpg).
Remcos RAT

Figure 11: The three actions

DLL Loading & Process Hollowing

The payload that was downloaded also has a jpg extension. By navigating back again to the threat actor’s remote server, we can see that the threat actor uses the method of trying to hide the real file extension by changing it to a jpg:

Remcos RAT

Figure 12: Hiding the file extension as a jpg

The downloaded script is actually another PowerShell script that contains two big variables –  $MNB and $fbOd:

  • $hoDNhAI – unpacks the $MNB variable using an embedded function (Sneaky.dll)
  • $fbOd – Archived Remcos agent
Remcos RAT

There is also the $ayy variable which is responsible for loading the dll (stored on $hoDNhAI):

Figure 13: $ayy variable

We can see in the figure above that when Sneaky.dll is loaded, the script invokes a method called: “Black”. This method is located under the “toooyou” class in the “Sneaky” namespace:

Remcos RAT

Figure 14: “Sneaky” namespace

Since the dll is heavily obfuscated, we used De4Dot to deobfuscate it and make the dll a bit more readable. We can see that the method that was invoked receives two arguments:

  1. String tt 
  2. Byte[] ukk

These arguments are passed in the PowerShell script; the string that is passed is “RegAsm.exe”; the byte array is the archived Remcos.

Following the flow of the “Black” method, we can see that a new array object is declared, containing the string that was passed. The result of the method is “GLPFPGLLRRR”, which receives the archived Remcos as argument):

Remcos RAT

Figure 15: GLPFGLLRRRR

This function is responsible for unpacking the Remcos agent out of the gzip archive. After that, the dll starts the hollowing process by spawning the legitimate RegAsm.exe process in suspended mode and inject the unpacked Remcos agent:

Remcos RAT

Figure 16: Unpacking the Remcos agent

Remcos RAT

Figure 17: The hollowing process

Finally, the RegAsm.exe process runs on the user’s system with the injected Remcos RAT inside of it. The RAT will begin to harvest information, creating mutex and persistence files.

Extracting Remcos Configurations

Once we unpacked the Remcos agent, we extracted the configurations set by the author completely statically by following the next steps:

  • Open up the Remcos agent in CFFExplorer.
  • Navigate to Resource Editor -> RCData -> SETTINGS. 
  • The first byte of the resource indicates the key length (the data is encrypted with RC4 encryption and marked in blue in the picture below).
  • What follows are the next key_length bytes, which is the actual RC4 key (marked in orange).
  • The rest of the remaining bytes are the encrypted data (marked in red).
Remcos RAT

Figure 18: Remcos configurations

If you enter the key and the data to CyberChef, you can easily decrypt the data and see the configurations of this Remcos agent (make sure to put key format to HEX and also to input format to HEX): 

Remcos RAT

Figure 19: Decrypted Remcos configurations

Extracted Configuration:

Host:port:password – menz.ddns.net:9001:1

Assigned name – AUG

Copy file – vlc.exe

Copy folder – vlc

Startup value – Remcos

Mutex – Grace-JFMZCP 

Recommendations

Remcos RAT malware can cause major damage to an organization when deployed on a device of a highly valued employee. It is usually delivered via phishing email, targeting the specific person (known as spear phishing or whale phishing). There isn’t much that the user has to do in order to initiate the attack; it takes just one click – one human error – and this massive attack chain can be easily executed.

To avoid becoming the next Remcos RAT victim, we recommend taking the following steps to mitigate your risk:

  1. Educate employees on the need for email security and the risk of opening suspicious emails and attachments. 
  2. Run email security drills every few months to ensure that employees know what to look for in a suspicious email. 
  3. Create a process for employees to follow when they receive a suspicious email or link.
  4. Do not open files with strange links or attachments.
  5. Always double check the identity of the sender.
  6. Deploy an advanced email security solution that prevents these malicious emails from reaching users’ inboxes.

Interested in protecting your organization from malware? Learn more here.

IOCs

Domains:

solutionias.com

menz.ddns.net

URLs:

hxxps[://]solutionias[.]com/bin/GH1[.]jpg

hxxps[://]solutionias[.]com/bin/GH2[.]jpg

Samples SHA-256:

Faktura 9382022.vbs – 0f1f455812da4f4169d34b3c953c28d9e64681a1968251799f625874f272928b

GH2.jpg – 6f7d778233adbdebe66d157f655cb21d4bdf7aab69a9503d60e226231fcb28b1

GH1.jpg – 01265bac08e6f515eb0f51f71ba02d1c529bc6728758a92c92b50fa25cb196f6

Sneaky.dll – 5a0698525d8be66696cc4a7be1a93efb16d8ef11c48bc7319c57435c4acfebc8

Packed Remcos.zip – 01b80319017fc7145f5bac41a773500720a8bd0380bc4821aabb0468f3daeea5

Unpacked Remcos.exe – 945b5bfb70e33c495f39f731fd7b9772eafd27d1d8512eb5f08872229074c47b