Remcos is an extensive and powerful Remote Administration Tool, first discovered listed for sale in underground forums in the latter half of 2016. Since its emergence, it has undergone many updates that added more features to it. Its payload has been observed being distributed in the wild, through many campaigns. Remcos can be used to fully administrate one or many computers, remotely. It typically infects a system by embedding a specially-crafted settings file into an Office document. By sending this malicious file to victims via specially crafted malspam emails, attackers can trick a user to run malicious code on their systems. The code is XML code which allows for any binary with parameters to be executed. This code is used to download and execute the REMCOS RAT. Remcos can be purchased from around $58 up to $390, depending on the license period and the maximum number of masters or clients needed.
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.
Property | Value |
---|---|
File Name | BLUNT1040RET18.doc |
File Type | Document File |
File Info | Office 97-2003 word file |
File Size | 5.42 MB (5685760 bytes) |
MD5 | 7FCF5DBE0B255150BB9758B6AD9031CA |
SHA-1 | 12A196E5263749D2157678A498A1CF82E31EB2FF |
SHA-256 | e2faf631d3e184194f20a019fb90c83b97d386374d64150a98fd7de1459caf6a |
Virus Total Score | 6/59 |
Hybrid Analysis Score | 22% |
Property | Value |
---|---|
File Name | 37989513.exe |
File Type | Portable Executable 32 |
File Info | Borland C++ for Win32 1999 |
File Size | 3.06 MB (3207168 bytes) |
MD5 | EB19A7EA80868AC328AB72BC0AAEDFA0 |
SHA-1 | 145D49C2E42BE622A9C1D9B4BDF8B286E72FD25F |
SHA-256 | f3efb9f40e2ea18661895369b3e43ec294d4103854ec942bb04778931e400bdd |
Virus Total Score | 13/72 |
Hybrid Analysis Score | 18% |
Property | Value |
---|---|
File Name | Banquo.dll |
File Type | Portable Executable 32 |
File Info | Dynamic Link Library |
File Size | 25.50 KB (26116 bytes) |
MD5 | C4F9911EEDBCC3E07B837B1A12552C5A |
SHA-1 | 9A9B4A85DE03D7440B0F124F6E5AA31253D37745 |
SHA-256 | ebf2ee0926b6e013c51c0876228f568cac952fac51b29de472c1fda9e5281d85 |
Virus Total Score | 20/71 |
Hybrid Analysis Score |
As per the detailed analysis of the doc file, it has been observed that the doc file contains malicious VB macros. On further analyzing the file, it is found that this doc file drops a dropper inside the %temp% folder with .exe extension. That exe extension file performs some malicious activities such as trying to communicate with the C&C server. It also enters keys into the windows registry.
Following are the characteristics observed in the .doc extension file.
As per static overview, it is understood that the existing VB macros is dropping the Banquo.dll file in the document folder. Through that .dll, it is performing tasks such as configuration on the boot level and on the other end “37989513.exe” is also dropped in the folder of %temp% which initiates connection on the TCP and UDP port outside the system, along with the registry changes.
Following are the dependencies observed in the malware file.
Without the connection, it cannot perform its objectives.
Following is the complete process-working graph for this attack.
Following are the behavior of this malware,
37989513.exe appears as another process in the stream and it is found creating “extrac32.exe” which is also the windows native utility, since cmd.exe was found to be created under it, as shown below:
In order to remediate this threat, following points should be considered:
Beware of social engineering techniques employed by cyber criminals— identify phishing emails, impersonated calls, and fraudulent businesses and domains — and learn how to respond to a suspected compromise. Rewterz Threat Intelligence and SOC enable us to not only detect, but also mitigate threats from malware like Remcos.
The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, that need to be analyzed, contact us at info@rewterz.com.