SECURITY

Detecting Remcos Tool Used by FIN7 with Splunk

This blog provides a walkthrough of Remcos executed via Splunk's Attack Range Local. To learn more about the FIN7 criminal group in part 1, FIN7 Tools Resurface in the Field – Splinter or Copycat?


We decided to try to run a well-known Remote Access Trojan (RAT) called Remcos used by FIN7. This tool has been around for some time and has a reputation for being stealthy and effective in controlling compromised hosts. Sold as a remote computer monitoring tool, this tool has plenty of features that can allow an operator behind the control to do multiple operations against a compromised system. 

The following is a walkthrough of Remcos executed via Attack Range Local. We will go over some of the multiple and intrusive operations this remote access tool can execute at compromised hosts.  As a post-exploitation tool remcos is pretty effective in obtaining credentials, discovering system properties, command execution, and networking among other functions. 

 

Remcos is composed of a Command & Control panel and agents that operate at the host level, before remcos can be deployed it needs to be built via the control panel. The vendor of this tool also offers extra obfuscation by offering an additional crypter for purchase, allowing operators to add additional obfuscation and encryption when building binaries.


The vendor presents very clear terms of service warning against any illegal use of this tool.


Remcos agent also communicates with the control panel using encryption via TLS v1.3 certificate, created during setup. Once we are able to transfer and execute the agent we can see how powerful this tool is against a compromised host. In the following screenshot, we can see one of the functions retrieving all services present at the compromised machine. This allows the operator to disable any of the running services. For example, the operator may choose to disable the sysmon service so that logs are no longer collected. 

In the following screenshot, we can see some of the surveillance functions that are included in Remcos, included Webcam, Microphone, Keylogger, Browser History, Browsers History, Password Recovery, and Activity Notification. We will look at some of these from the reverse engineering perspective later in this post. 

Here is an example of clipboard content extraction from a compromised host. 

Detection

As seen above this tool can be very effective if used by malicious actors. This tool has been observed in use by the FIN7 group, so we decided to take a deeper look into it. The following are some of the observations and detection we were able to create replicating the install of this tool via the Attack Range tool. 

Please note that in order to perform these detections successfully we had to add specific registry key items to our sysmon policy in Attack Range. 

As we will see in the following searches, the vendor of this tool implements some telemetry mechanisms when this tool is installed. In the following screen shot, the use of the API call to geoplugin.net can be seen as we were installing the control panel. This API allows the vendor to register the location of the install. 

A specific DNS query was also detected during the installation process, specifically directed towards p4-preview.runhosting.com. Some other products from the same vendor have also been observed in this domain as well. 

Another specific trait of this software is the vendor banner and process created when is being installed. Per vendor terms and conditions this is a legit software application and warns against illegal use, so their name shows in the application content through installation and operation. This specific search detects install of the C2 panel. 


During the installation of this software also a specific registry key is set in place related to the licensing of this software. As seen in the search and screenshot below. The search below detects agent/client install at the compromised host. 


Remcos Agent Analysis

The Remcos RAT agent contains several features to grab or exfiltrate data from the compromised machine. Below are the notable behaviors we saw during our analysis.

Mutex and Anti Sandbox

During Installation Remcos will create a mutex “Remcos_Mutex_Inj”  to make sure that only one instance of its malware is running on a machine. Aside from that, it contains a function where it checks if its malware code is running on a virtual machine, sandbox or if there is a running procmon, and process explorer Sysinternals tool process in the compromised machine. If yes it will call another function that will exit the process and run a cleanup .bat file to remove its artifacts.



UAC Bypassed

It will try to bypass UAC by running a known “eventvwr” registry modification technique referencing its malware sample.

Another one is modifying the EnableLua registry value to disable UAC in the compromised machine.


Querying And Clearing Browser History and Cookies.

It also has a thread where it will check the default browser of the compromised machine or look for the chrome default user account folder, IE cookie, and firefox profile folder in %appdata% to grab and clear the history on those browsers.


Persistence

It will also create a regrun entry for drop copy of itself in %appdata%\WIn32 folder to automatically execute its code upon reboot of the system.


Remcos Data Collection

Get Product and Computer Information

This RAT will also parse the computer name, user name, and the product information of the compromised machine as part of its data collection and to know who/what machine is compromised.



Capture Screenshots and Audio Recording

One notable feature of this RAT malware is to record audio and capture screenshots from the compromised machine that will be placed in %appdata%\audio\ (in .wav format) and %appdata%\screens folder. In our analysis, the screenshot capture happened every minute.

Taking screenshots
 

Audio Recording


Below is the screenshot of Splunk Attack Range during the execution of Remcos RAT showing how it creates the .png file of each screenshot it takes in the compromised machine.
 


Keylogger and Clipboard Grabber

This RAT has another feature for keylogging and grabbing the clipboard data that will be placed in the%appdata%\remcos folder named as logs.dat file. It also serves as a debug log made by Remcos like clearing browser history and so on. Below is the snippet of logs.dat as we test this feature.
 



Uninstall.bat

If this rat figures out that it is in a virtual machine or in a sandbox it will create and execute a batch file that will delete itself and some of its artifacts to evade analysis of its code.



Backdoor Command:

Below is the list of backdoor commands we saw in its code to manipulate the compromised host and gather or collect data from it.
 

Remcos Backdoor Command

Description

ping

Ping command

filemgr

List file

downloadfromurltofile

Download file from C2

downloadfromlocaltofile

Download file from local machine

getproclist

Get process list

prockill

Process kill

getwindows

Get window state

closewindow

Close a window

maxwindow

Maximize active window

restorewindow

Restore window

closeprocfromwindow

Close process in active window

execcom

Execute command

consolecmd

Get console command

cmdoutput

Fetch command output through pipe

openaddress

Shell “Open” command

initializescrcap

Initialize screen capture

scrcap

Screen capture

freescrcap

Release screen capture

initklfrm

Initialize keylogging

startonlinekl

Start keylogging

stoponlinekl

Stop online keylogging

getofflinelogs

Download offline logs

autogetofflinelogs

Auto download of logs

deletekeylog

Delete key logs

clearlogins

Clear login

getscrslist

Get file list in current screen window

scrslist

File list in active window

dwnldscr

Download screen

screenshotdata

Screenshot data

initcamcap

Initialize camera capture

getcamlib

Get camera library

freecamcap

Release camera capture

miccapture

Mic capture

stopmiccapture

Stop capture

pwgrab

Password grab

deletefile

Delete files

uninstall

Uninstall to the machine

updatefromurl

Update copy of its file from C2

updatefromlocal

Update copy of itself from local machine

msgbox

Message box

keyinput

Keyboard input

mclick

Mouse click

OSpower

OS power

getclipboard

Get clipboard data

setclipboard

Set clipboard data

emptyclipboard

Delta clipboard data

dlldata

Map files

dllurl

Download files

initremscript

Initialize remcos script

initregedit

Initialize registry info of the host

SetSuspendState

Suspend machine state


Detections:

Suspicious Image Creation In Appdata Folder
 

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
  where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*"
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
  | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly`
  count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
  where Filesystem.file_name IN ("*.png","*.jpg","*.bmp","*.gif","*.tiff") Filesystem.file_path = "*\\appdata\\Roaming\\*"
  by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name
  Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time
  file_name file_path process_name process_path process] 




Suspicious WAV file in Appdata Folder
 

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
  where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*"
  by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
  | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly`
  count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
  where Filesystem.file_name IN ("*.wav") Filesystem.file_path = "*\\appdata\\Roaming\\*"
  by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name
  Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields file_name file_path
  process_name process_path process dest file_create_time _time ]




Remcos RAT File Creation in Remcos Folder
 

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
  where Filesystem.file_name IN ("*.dat") Filesystem.file_path = "*\\remcos\\*"
  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time
  | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)`




Detection

Techniques ID

Tactics

Description

Remcos RAT File Creation in Remcos Folder (New)

T1113

Collection

Detect creation of file in Remco’s folder in %appdata% path

Suspicious Image Creation In Appdata Folder(New)

T1113

Collection

Detect suspicious creation of image files in %appdata%\roaming folder path

Suspicious WAV file in Appdata Folder(New)

T1113

Collection

Detect suspicious creation of wav files in %appdata%\roaming folder path

Non-Chrome Process Accessing Chrome Default Dir (New)

T1555.003

Credential Access

Detects non-chrome process accessing chrome user default folder

Non-Firefox Process Access Firefox Profile Dir (new)

T1555.003

Credential Access

Detects non-firefox process accessing Firefox profile folder

Registry Keys Used For Persistence(Existing)

T1547.001

Persistence, Privilege Escalation

Detects persistence mechanism through the registry

Disabling Remote User Account Control(Existing)

T1548.002

Privilege Escalation, Defense Evasion

Detect modification of UAC registry (Enable LUA)

Executables Or Script Creation In Suspicious Path(Existing)

T1036

Defense Evasion

Dropping executable script in a suspicious file path

Suspicious Process File Path(Existing)

T1543

Persistence, Privilege Escalation

Detect suspicious process running in a suspicious file path

Remcos client registry install entry(New)

T1112

Defense Evasion 

Detects Remcos install license registry key

 

Hashes

File

SHA256

Remcos agent

fd0a98614305ca211fafe525c8beadab7f632b0ebe04aaf6afe161f699ecda18



Contributors

We would like to thank the following for their contributions to this post.

  • Teoderick Contreras
  • Rod Soto
  • Michael Haag 
     

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

Detecting Remcos Tool Used by FIN7 with Splunk

Show All Tags
Show Less Tags

Join the Discussion