Rewterz Threat Alert – DangerousPassword APT Group – Active IOCs
April 4, 2022Rewterz Threat Alert – Amadey Botnet – Active IOCs
April 4, 2022
Introduction
Remcos is an extensive and powerful Remote Administration Tool, first discovered listed for sale in underground forums in the latter half of 2016. Since its emergence, it has undergone many updates that added more features to it. Its payload has been observed being distributed in the wild, through many campaigns. Remcos can be used to fully administrate one or many computers, remotely. It typically infects a system by embedding a specially-crafted settings file into an Office document. By sending this malicious file to victims via specially crafted malspam emails, attackers can trick a user to run malicious code on their systems. The code is XML code which allows for any binary with parameters to be executed. This code is used to download and execute the REMCOS RAT. Remcos can be purchased from around $58 up to $390, depending on the license period and the maximum number of masters or clients needed.
MITRE ATT&CK Table
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.
Analysis Report of Remcos RAT
File Identity:
| Property | Value |
|---|---|
| File Name | BLUNT1040RET18.doc |
| File Type | Document File |
| File Info | Office 97-2003 word file |
| File Size | 5.42 MB (5685760 bytes) |
| MD5 | 7FCF5DBE0B255150BB9758B6AD9031CA |
| SHA-1 | 12A196E5263749D2157678A498A1CF82E31EB2FF |
| SHA-256 | e2faf631d3e184194f20a019fb90c83b97d386374d64150a98fd7de1459caf6a |
| Virus Total Score | 6/59 |
| Hybrid Analysis Score | 22% |
| Property | Value |
|---|---|
| File Name | 37989513.exe |
| File Type | Portable Executable 32 |
| File Info | Borland C++ for Win32 1999 |
| File Size | 3.06 MB (3207168 bytes) |
| MD5 | EB19A7EA80868AC328AB72BC0AAEDFA0 |
| SHA-1 | 145D49C2E42BE622A9C1D9B4BDF8B286E72FD25F |
| SHA-256 | f3efb9f40e2ea18661895369b3e43ec294d4103854ec942bb04778931e400bdd |
| Virus Total Score | 13/72 |
| Hybrid Analysis Score | 18% |
| Property | Value |
|---|---|
| File Name | Banquo.dll |
| File Type | Portable Executable 32 |
| File Info | Dynamic Link Library |
| File Size | 25.50 KB (26116 bytes) |
| MD5 | C4F9911EEDBCC3E07B837B1A12552C5A |
| SHA-1 | 9A9B4A85DE03D7440B0F124F6E5AA31253D37745 |
| SHA-256 | ebf2ee0926b6e013c51c0876228f568cac952fac51b29de472c1fda9e5281d85 |
| Virus Total Score | 20/71 |
| Hybrid Analysis Score |
Summary of Analysis:
As per the detailed analysis of the doc file, it has been observed that the doc file contains malicious VB macros. On further analyzing the file, it is found that this doc file drops a dropper inside the %temp% folder with .exe extension. That exe extension file performs some malicious activities such as trying to communicate with the C&C server. It also enters keys into the windows registry.
Characteristics:
Following are the characteristics observed in the .doc extension file.
- When victim opens the DOC file, a message pops up on their screen prompting them to enable the Macros, as shown below:
- On further static analysis, it is discovered that the DOC file contains two books of malicious macros.
- We have also found that this Vb macro also declares another file with the name of “Banquo” and after searching for it in the windows, it was found as a dll file inside the windows document folder.
- After opening the source code of Banquo.dll file, it is observed that this malware is using “GetKeyboaredLayoutNameW” windows native function that lies under the user32.dll.
- On further static drilling, it is found that this DLL is passing the bootcfg process (Windows Native Process) in itself to perform some task as the bootcfg process is used in configuration on boot level.
- After searching for offset value in the assembly we also found the memory address in the assembly code for bootcfg.exe.
- On moving forward we found some string values from hex editor while analyzing the 37989513.exe file which says “this program should be run under Win32” as shown below:
- After reviewing the XML code, the request for the execution was found as “asInvoker” which means that the file was trying to execute itself on the privileges of the current user.
- We have also found that this file attempts for the registry changes as specified in the assembly code.
- This program is also found using the socket function in order to create the TCP/UDP connection under the winsock2.h, as shown below:
- It is also adding a service to the registry with the usage of WSASetServiceW Function under the Winsock2.h, as shown below:
As per static overview, it is understood that the existing VB macros is dropping the Banquo.dll file in the document folder. Through that .dll, it is performing tasks such as configuration on the boot level and on the other end “37989513.exe” is also dropped in the folder of %temp% which initiates connection on the TCP and UDP port outside the system, along with the registry changes.
Dependencies:
Following are the dependencies observed in the malware file.
- This Malware cannot work properly without the usage of its dropper files 37989513.exe/Banquo.dll.
- This malware is designed to establish C&C connection automatically once the infection occurs.
Without the connection, it cannot perform its objectives.
- This malware was designed and is compatible for the win32.
Following is the complete process-working graph for this attack.
Memory Graph
Behavioral Findings through Analysis:
Following are the behavior of this malware,
- When we execute the DOC file, it asks you to enable the macros that it contains. Once you enable the macros, it executes and drops two files with the name of Banquo.dll and 37989513.exe.
- After this Banquo.DLL file creates another windows native process instance, which is bootcfg.exe used for the boot configuration, the bootcfg.exe creates another process with the name of conhost.exe.
37989513.exe appears as another process in the stream and it is found creating “extrac32.exe” which is also the windows native utility, since cmd.exe was found to be created under it, as shown below:
- Cmd was found communicating on the IP address of “23.106.124.101” Right after the execution of above processes. It means that 37989513.exe is designed to create cmd process and generate C&C calls by passing arguments through cmd process.
- In addition, the process was also found adding registry keys to the system in address of “HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Resiliency\StartupItems\8p” as shown below:
Remediation:
In order to remediate this threat, following points should be considered:
- Block subjected IP “23.106.124.101”
- Kill the cmd.exe process which initiates the communication to another C&C server and the parent process of 37989513.exe.
- Search for the registry changes relevant to Blunt.doc.
- Closely monitor 37989513.exe process for any suspicious activities.
- Closely monitor URL having abnormal URI string & abnormal length.
- Block hashes associated with this malware files on EDR and endpoint controls.
- Delete unnecessary Document & temp folder entries.
Beware of social engineering techniques employed by cyber criminals— identify phishing emails, impersonated calls, and fraudulent businesses and domains — and learn how to respond to a suspected compromise. Rewterz Threat Intelligence and SOC enable us to not only detect, but also mitigate threats from malware like Remcos.
The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, that need to be analyzed, contact us at info@rewterz.com.