# Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021 **splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-** 2021.html January 10, 2022 SECURITY By [Splunk Threat Research Team January 10,](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) 2022 Nowadays, malware used to have several stages before it fully compromised the targeted host or machine. The very well-known initial stager is the “phishing email” that contains a malicious macro code or malicious URL link that will download either the actual loader or the next stager to download the actual payload. This particular sample makes the detection and analysis of the adversary behavior more challenging. The most prevalent loaders seen in the wild are window scripting languages, JScript (.js), and VBScript (.vbs). These scripts are easy to obfuscate and encrypt in order to bypass detection and preventative controls, therefore many adversaries use this methodology. In this blog, Splunk Threat Research (STRT) will discuss a Remcos loader that utilizes [DynamicWrapperX (dynwrapx.dll) to execute shellcode and inject Remcos RAT into the target](http://dynwrapx.script-coding.com/dwx/pages/dynwrapx.php?lang=en) process. Ultimately STRT covers what [Splunk Security Content detections find behaviors and](https://research.splunk.com/) TTPs that apply to the DynamicWrapperX Loader. ----- ----- ## The Initial Downloader This Remcos sample loader starts with a simple VBScript that attempts to download the second VBScript from [paste.ee. The script on](https://paste.ee/) [paste.ee is the main loader of Remcos. Below is the](https://paste.ee/) screenshot of the initial downloader script. STRT has witnessed the script stay online up to a few weeks between major campaign changes. Paste.ee offers multiple options to automatically [take down code between hours up to a year. The full VBScript loader may be found here.](https://gist.github.com/MHaggis/316400bd7c9f1ed6940ed04ea16556be) ----- ## The VBScript Main Remcos Loader ### Detection Evasion STRT found the script loader interesting in how it tries to evade inspection by preventative controls by embedding a large amount of normal script code and comments at the beginning and end of the loader. For example, the screenshot below shows its code in lines 120-150 [pertains to Microsoft “pubprn.vbs”, a script designed to publish printers within active directory](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753116(v=ws.11)) domain services. Skimming over the code quickly gives it away that shellcode is embedded inside. ### Preparation of Payload Now that the loader has downloaded the next stage from paste.ee, this VBScript will prepare several payloads and eventually load the actual Remcos malicious software. First, it will decode the actual Remcos RAT, then extract the dynwrapx.dll (used to load the shellcode), and finally the shellcode. It will also initialize the file path of (c:\windows\winhlp32.exe) which is the target process to inject Remcos RAT. ----- Below is a screenshot of each payload decoded: ----- ### VBScript Execution in x64 Bit This script also has a function to check what OS architecture type the infected host has using [WMI (Windows Management Instrumentation - T1047) if it is an x64 host, it will run the VBScript](https://attack.mitre.org/techniques/T1047/) using the following command format “wscript /b /e:vbscript ” like what is ----- [shown in the screenshot below. Also you can find the raw attack data sysmon.log for this](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log) technique. ### The Shellcode - Process Injection The decoded shellcode uses pre-computed API hashes to dynamically resolve its API import in order to inject the Remcos malware into a targeted process on the host. The screenshot below shows the last WriteProcessMemory API and the ResumeThread API calls get used to write and subsequently execute the Remcos RAT in the target process where it injects its code. ----- ### DynamicWrapperX - ShellCode Execution To execute the shellcode for Remcos via process injection, it first decodes and drops “dynwrapx.dll” in the %temp% folder and loads/installs it using Regsvr32 install silent parameter (“regsvr32 /I /S”). This DLL will give the VBScript access to the “DynamicWrapperX'' Object to load 2 more windows DLL modules named user32.dll and kernel32.dll to allocate memory and execute the shellcode. Using VirtualAlloc API call, it will allocate a region of memory for the Remcos malware and shellcode. This memory address will be passed as an argument in CallWindowProcW API to load the shellcode to inject Remcos RAT to the target process, which is WinHlp32.exe. The screenshot below shows the code of this technique. ----- ### Where is Remcos Going? Using VirusTotal behavior to analyze this sample further STRT searched for a pattern of behavior that spawned winhlp32.exe and used regsvr32.exe to load dynwrapx.dll. STRT crafted this VirusTotal behavior query: ``` behavior:"\"%windir%\\System32\\regsvr32.exe\" /I /S \"%TEMP%\\dynwrapx.dll\"" behavior:"\"%windir%\\winhlp32.exe\"" ``` This uncovered an interesting pattern that began 9/12/2021 from Argentina which matched the same behavior as our original sample. Each upload contained a different section of the final sample (reviewed above). STRT speculates the adversary was testing their code against antivirus engines. After the first few “testing” uploads occurred, it was followed up with actual active campaigns with complete Remcos loaders. ----- The pattern of behavior we queried for looks like this in VTI ----- ----- [Following using winhlp32.exe, STRT noticed it shifted to using installutil.exe. With installutil.exe,](https://app.any.run/tasks/df0baf9f-8baf-4c32-a452-16562ecb19be/) the pattern is very similar. The biggest difference STRT noticed was, during the VBScript execution, unlike winhlp32.exe, installutil.exe did not load dynwrapx.dll. VirusTotal behavior query: ``` behavior:"\"%windir%\\System32\\regsvr32.exe\" /I /S \"%TEMP%\\dynwrapx.dll\"" behavior:"\\installutil.exe\"" ``` ----- STRT, generated a few additional queries that helped us to holistically look for other samples, these provided insight into further behaviors, but also the visibility into how much interaction and changes go into each campaign. ``` behaviour_processes:"\"%windir%\\SYSWOW64\\WSCRIPT.EXE\" //b //e:vbscript \"%SAMPLEPATH%\"" content: {5365742044796e577261704f626a203d204372656174654f626a656374282244796e616d6963577261707065 ### VT Correlation Graph of Remcos: ``` [The following VT Correlation Graph shows us the affected countries by this Remcos campaign,](https://www.virustotal.com/graph/embed/g8e2e40d1a7b9401facdae7330d44f4178b95305dd74b4b70b44933389ba06cf2) the number of C2 servers connections it made to download other malware or its components. Even some interesting infection chain vectors like dropping .lnk file and downloading components from its C2. ----- ## Remcos Analytic Story [The update on the analytic story introduced 21 new and 5 modified detections. In this section,](https://research.splunk.com/stories/remcos/) we describe some of these analytics. ### Suspicious Process DNS Query Known Abuse Web Services Detects a suspicious process making a DNS query via known abuse text paste web services, or VoIP, instant messaging, and digital distribution platform to use to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious ----- file on the target host. This is a good TTP indicator for possible initial access techniques. A user will experience false positives if the following instant messaging is allowed or common applications like telegram, discord are allowed in the corporate network. ``` `sysmon` EventCode=22 QueryName IN ("*pastebin*", "*discord*", "*telegram*", "*t.me*") process_name IN ("cmd.exe", "*powershell*", "pwsh.exe", "wscript.exe", "cscript.exe") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ### Loading Of Dynwrapx Module ``` DynamicWrapperX is an ActiveX component that can be used in a VBScript to call Windows API functions, but it requires the dynwrapx.dll to be installed and registered. With that, registering or loading dynwrapx.dll to a host is highly suspicious. In most instances when it is maliciously used the best way to triage is to review parallel processes and pivot on the process_guid. Review the registry for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious module loads of dynwrapx.dll. This detection will return and identify the processes that invoke vbs/wscript/cscript. ----- ``` `sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName = "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ### System Info Gathering Using Dxdiag Application ``` Detects a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system info of the target host. This technique was seen used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack. This behavior should be rarely seen in a corporate network, but this command line can be used by a network administrator to audit host machine specifications. Thus in some rare cases, this detection will contain false positives in its results. To triage further, analyze what commands [were passed after it pipes out the result to a file for further processing. Examples of anyrun](https://any.run/report/923483a20bfa8c7734ff5cd5f1d2ebb4a029efe6af2365cd4730a0955e038ccd/8ed5b7fd-498c-4468-9e84-e3a62517492e) remcos analysis that shows its behavior before and after this technique was executed. ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes process ``` ----- ``` /t by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ### Possible Browser Pass View Parameter ``` Detects a suspicious process that contains command-line parameters related to a web browser credential dumper. This technique is used by Remcos RAT malware where it uses the Nirsoft webbrowserpassview.exe application to dump web browser credentials. Remcos use the "/stext" command line to dump the credential in text format. This Hunting query is a good indicator of hosts suffering from possible Remcos RAT infection. Since the hunting query is based on the parameter command and the possible path where it will save the text credential information, It may catch normal tools that are using the same command and behavior. ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext*", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*","*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*", "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*") AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` ``` ----- ``` | security_content_ctime(lastTime) ``` **Name** **Technique** **ID** **Tactic** **Description** Suspicious Process DNS [Query Known](https://research.splunk.com/endpoint/suspicious_process_dns_query_known_abuse_web_services/) Abuse Web Services Loading Of Dynwrapx Module Wscript Or Cscript [Suspicious Child](https://research.splunk.com/endpoint/wscript_or_cscript_suspicious_child_process/) Process Winhlp32 [Spawning a](https://research.splunk.com/endpoint/winhlp32_spawning_a_process/) Process [T1059.005](https://attack.mitre.org/techniques/T1059/005/) Execution Detects a suspicious process having a DNS query on known abuse text paste web services, or VoIP, instant messaging, and digital distribution platform to download some files. [T1055.001](https://attack.mitre.org/techniques/T1055/001/) Defense Evasion, Privilege Escalation [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation Detects loading of dynwrapx.dll in a process Detects suspicious child process of wscript and cscript process. Detects winhlp32 spawning another process ----- Process Writing DynamicWrapperX Vbscript Execution Using Wscript App Jscript Execution Using Cscript App Regsvr32 Silent [and Install Param](https://research.splunk.com/endpoint/regsvr32_silent_and_install_param_dll_loading/) Dll Loading Regsvr32 with [Known Silent](https://research.splunk.com/endpoint/regsvr32_with_known_silent_switch_cmdline/) Switch Cmdline System Info [Gathering Using](https://research.splunk.com/endpoint/system_info_gathering_using_dxdiag_application/) Dxdiag Application Possible Browser [Pass View](https://research.splunk.com/endpoint/possible_browser_pass_view_parameter/) Parameter ## Hashes [T1559.001](https://attack.mitre.org/techniques/T1559/001/) Execution Detects dropping of dynwrapx.dll to use DynamicWrapperX which is an ActiveX component that can be used in a script to call Windows API functions. [T1059.005](https://attack.mitre.org/techniques/T1059/005/) Execution Detects execution of vbscript using wscript.exe. [T1059.007](https://attack.mitre.org/techniques/T1059/007/) Execution Detects execution of jscript using cscript.exe. [T1218.010](https://attack.mitre.org/techniques/T1218/010/) Defense Evasion [T1218.010](https://attack.mitre.org/techniques/T1218/010/) Defense Evasion Detects install silent parameter of regsvr32.exe Detects silent switch of regsvr32.exe. [T1592](https://attack.mitre.org/techniques/T1592/) Reconnaissance Detects dxdiag process for possible system info collection parameter /t [T1555.003](https://attack.mitre.org/techniques/T1555/003/) Credential Access Detects possible web browser credential dumper process **Filename** **Hashes - sha256** invoice.vbs cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 remcos.dll ff169ae934b92a2dfe78f4793c60256d4f36992a0e1218ed6b6d59b3809ed210 dynwrapx.dll 4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379 shellcode c344723295279aaaf2a4220a77d74db903985264cf3adfba5015f9f31f0dddec ----- Stage1.vbs (download stage2 in pastebin) cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 ## Automating with SOAR Playbooks The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described analytics: **Name** **Description** Malware [Hunt And](https://research.splunk.com/playbooks/malware_hunt_and_contain/) Contain Email Notification for Malware Block Indicators This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black. This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PANW WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team. This playbook retrieves IP addresses, domains, and file hashes, blocks them on various services, and adds them to specific blocklists as custom lists ## Why Should You Care? This blog shows how vbscript and jscript are leveraged by all sorts of offensive actors including [penetration testing](https://twitter.com/strandjs/status/1363942354374127620) [consultants,](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying) [cybercrime](https://us-cert.cisa.gov/ncas/alerts/TA18-086A) [actors, and](https://www.cyber.gov.au/acsc/view-all-content/advisories/2019-130-password-spray-attacks-detection-and-mitigation-strategies) [cyber](https://us-cert.cisa.gov/ncas/alerts/aa21-116a) [espionage](https://us-cert.cisa.gov/ncas/alerts/TA18-086A) [actors in process](https://us-cert.cisa.gov/ncas/alerts/AA20126A) injection and shellcode execution. Unlike binary malware loaders, malware loader scripts are very flexible in terms of updates, encryption and also code obfuscation to bypass detections. [According to unit42’s 2020 article, Script base malware is one of the new attacker trends and it](https://unit42.paloaltonetworks.com/script-based-malware/) keeps on evolving and improving as part of the malware tooling ecosystem. Cyber Defenders need to design and deploy effective monitoring capabilities that allow them to detect and respond to: suspicious script execution, process injection and suspicious use of text paste web service in their corporate or server networks. ### Learn More ----- [You can find the latest content about security analytic stories on research.splunk.com. For a full](https://research.splunk.com/) list of security content, check out the [release notes on](https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements) [Splunk Docs.](https://docs.splunk.com/Documentation/ESSOC) [3.32.0](https://github.com/splunk/security_content/releases/tag/v3.32.0) ### Feedback Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the [Slack channel #security-research. Follow these instructions If you](https://splunk-usergroups.slack.com/) need an invitation to our Splunk user groups on Slack. ### Contributors We would like to thank the following for their contributions to this post. Teoderick Contreras Michael Haag Jose Hernandez [Lou Stella](http://10.10.0.46/mailto:lstella@splunk.com) Posted by **[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)** The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats actors and vulnerabilities work and the team replicates attacks which are stored as ----- [datasets in the Attack Data repository.](https://github.com/splunk/attack_data/) Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more. [Read more Splunk Security Content.](https://github.com/splunk/security_content) -----