By Splunk Threat Research Team November 16, 2021
This blog provides a walkthrough of Remcos executed via Splunk's Attack Range Local. To learn more about the FIN7 criminal group in part 1, FIN7 Tools Resurface in the Field – Splinter or Copycat?
We decided to try to run a well-known Remote Access Trojan (RAT) called Remcos used by FIN7. This tool has been around for some time and has a reputation for being stealthy and effective in controlling compromised hosts. Sold as a remote computer monitoring tool, this tool has plenty of features that can allow an operator behind the control to do multiple operations against a compromised system.
The following is a walkthrough of Remcos executed via Attack Range Local. We will go over some of the multiple and intrusive operations this remote access tool can execute at compromised hosts. As a post-exploitation tool remcos is pretty effective in obtaining credentials, discovering system properties, command execution, and networking among other functions.
Remcos is composed of a Command & Control panel and agents that operate at the host level, before remcos can be deployed it needs to be built via the control panel. The vendor of this tool also offers extra obfuscation by offering an additional crypter for purchase, allowing operators to add additional obfuscation and encryption when building binaries.
The vendor presents very clear terms of service warning against any illegal use of this tool.
Remcos agent also communicates with the control panel using encryption via TLS v1.3 certificate, created during setup. Once we are able to transfer and execute the agent we can see how powerful this tool is against a compromised host. In the following screenshot, we can see one of the functions retrieving all services present at the compromised machine. This allows the operator to disable any of the running services. For example, the operator may choose to disable the sysmon service so that logs are no longer collected.
In the following screenshot, we can see some of the surveillance functions that are included in Remcos, included Webcam, Microphone, Keylogger, Browser History, Browsers History, Password Recovery, and Activity Notification. We will look at some of these from the reverse engineering perspective later in this post.
Here is an example of clipboard content extraction from a compromised host.
Detection
As seen above this tool can be very effective if used by malicious actors. This tool has been observed in use by the FIN7 group, so we decided to take a deeper look into it. The following are some of the observations and detection we were able to create replicating the install of this tool via the Attack Range tool.
Please note that in order to perform these detections successfully we had to add specific registry key items to our sysmon policy in Attack Range.
As we will see in the following searches, the vendor of this tool implements some telemetry mechanisms when this tool is installed. In the following screen shot, the use of the API call to geoplugin.net can be seen as we were installing the control panel. This API allows the vendor to register the location of the install.
A specific DNS query was also detected during the installation process, specifically directed towards p4-preview.runhosting.com. Some other products from the same vendor have also been observed in this domain as well.
Another specific trait of this software is the vendor banner and process created when is being installed. Per vendor terms and conditions this is a legit software application and warns against illegal use, so their name shows in the application content through installation and operation. This specific search detects install of the C2 panel.
During the installation of this software also a specific registry key is set in place related to the licensing of this software. As seen in the search and screenshot below. The search below detects agent/client install at the compromised host.
Remcos Agent Analysis
The Remcos RAT agent contains several features to grab or exfiltrate data from the compromised machine. Below are the notable behaviors we saw during our analysis.
Mutex and Anti Sandbox
During Installation Remcos will create a mutex “Remcos_Mutex_Inj” to make sure that only one instance of its malware is running on a machine. Aside from that, it contains a function where it checks if its malware code is running on a virtual machine, sandbox or if there is a running procmon, and process explorer Sysinternals tool process in the compromised machine. If yes it will call another function that will exit the process and run a cleanup .bat file to remove its artifacts.
UAC Bypassed
It will try to bypass UAC by running a known “eventvwr” registry modification technique referencing its malware sample.
Another one is modifying the EnableLua registry value to disable UAC in the compromised machine.
Querying And Clearing Browser History and Cookies.
It also has a thread where it will check the default browser of the compromised machine or look for the chrome default user account folder, IE cookie, and firefox profile folder in %appdata% to grab and clear the history on those browsers.
Persistence
It will also create a regrun entry for drop copy of itself in %appdata%\WIn32 folder to automatically execute its code upon reboot of the system.
Remcos Data Collection
Get Product and Computer Information
This RAT will also parse the computer name, user name, and the product information of the compromised machine as part of its data collection and to know who/what machine is compromised.
Capture Screenshots and Audio Recording
One notable feature of this RAT malware is to record audio and capture screenshots from the compromised machine that will be placed in %appdata%\audio\ (in .wav format) and %appdata%\screens folder. In our analysis, the screenshot capture happened every minute.
Taking screenshots
Audio Recording
Below is the screenshot of Splunk Attack Range during the execution of Remcos RAT showing how it creates the .png file of each screenshot it takes in the compromised machine.
Keylogger and Clipboard Grabber
This RAT has another feature for keylogging and grabbing the clipboard data that will be placed in the%appdata%\remcos folder named as logs.dat file. It also serves as a debug log made by Remcos like clearing browser history and so on. Below is the snippet of logs.dat as we test this feature.
Uninstall.bat
If this rat figures out that it is in a virtual machine or in a sandbox it will create and execute a batch file that will delete itself and some of its artifacts to evade analysis of its code.
Backdoor Command:
Below is the list of backdoor commands we saw in its code to manipulate the compromised host and gather or collect data from it.
Remcos Backdoor Command |
Description |
ping |
Ping command |
filemgr |
List file |
downloadfromurltofile |
Download file from C2 |
downloadfromlocaltofile |
Download file from local machine |
getproclist |
Get process list |
prockill |
Process kill |
getwindows |
Get window state |
closewindow |
Close a window |
maxwindow |
Maximize active window |
restorewindow |
Restore window |
closeprocfromwindow |
Close process in active window |
execcom |
Execute command |
consolecmd |
Get console command |
cmdoutput |
Fetch command output through pipe |
openaddress |
Shell “Open” command |
initializescrcap |
Initialize screen capture |
scrcap |
Screen capture |
freescrcap |
Release screen capture |
initklfrm |
Initialize keylogging |
startonlinekl |
Start keylogging |
stoponlinekl |
Stop online keylogging |
getofflinelogs |
Download offline logs |
autogetofflinelogs |
Auto download of logs |
deletekeylog |
Delete key logs |
clearlogins |
Clear login |
getscrslist |
Get file list in current screen window |
scrslist |
File list in active window |
dwnldscr |
Download screen |
screenshotdata |
Screenshot data |
initcamcap |
Initialize camera capture |
getcamlib |
Get camera library |
freecamcap |
Release camera capture |
miccapture |
Mic capture |
stopmiccapture |
Stop capture |
pwgrab |
Password grab |
deletefile |
Delete files |
uninstall |
Uninstall to the machine |
updatefromurl |
Update copy of its file from C2 |
updatefromlocal |
Update copy of itself from local machine |
msgbox |
Message box |
keyinput |
Keyboard input |
mclick |
Mouse click |
OSpower |
OS power |
getclipboard |
Get clipboard data |
setclipboard |
Set clipboard data |
emptyclipboard |
Delta clipboard data |
dlldata |
Map files |
dllurl |
Download files |
initremscript |
Initialize remcos script |
initregedit |
Initialize registry info of the host |
SetSuspendState |
Suspend machine state |
Detections:
Suspicious Image Creation In Appdata Folder
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*"
by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
| `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly`
count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("*.png","*.jpg","*.bmp","*.gif","*.tiff") Filesystem.file_path = "*\\appdata\\Roaming\\*"
by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name
Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time
file_name file_path process_name process_path process]
Suspicious WAV file in Appdata Folder
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*"
by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
| `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly`
count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("*.wav") Filesystem.file_path = "*\\appdata\\Roaming\\*"
by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name
Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields file_name file_path
process_name process_path process dest file_create_time _time ]
Remcos RAT File Creation in Remcos Folder
|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("*.dat") Filesystem.file_path = "*\\remcos\\*"
by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
Detection |
Techniques ID |
Tactics |
Description |
Collection |
Detect creation of file in Remco’s folder in %appdata% path |
||
Collection |
Detect suspicious creation of image files in %appdata%\roaming folder path |
||
Collection |
Detect suspicious creation of wav files in %appdata%\roaming folder path |
||
Credential Access |
Detects non-chrome process accessing chrome user default folder |
||
Credential Access |
Detects non-firefox process accessing Firefox profile folder |
||
Registry Keys Used For Persistence(Existing) |
Persistence, Privilege Escalation |
Detects persistence mechanism through the registry |
|
Disabling Remote User Account Control(Existing) |
Privilege Escalation, Defense Evasion |
Detect modification of UAC registry (Enable LUA) |
|
Defense Evasion |
Dropping executable script in a suspicious file path |
||
Suspicious Process File Path(Existing) |
Persistence, Privilege Escalation |
Detect suspicious process running in a suspicious file path |
|
Defense Evasion |
Detects Remcos install license registry key |
Hashes
File |
SHA256 |
Remcos agent |
fd0a98614305ca211fafe525c8beadab7f632b0ebe04aaf6afe161f699ecda18 |
Contributors
We would like to thank the following for their contributions to this post.
- Teoderick Contreras
- Rod Soto
- Michael Haag