# Analysis: New Remcos RAT Arrives Via Phishing Email **[trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html](https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html)** August 15, 2019 In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware. Remcos RAT emerged in 2016 being peddled as a service in hacking forums — advertised, sold, and offered cracked on various sites and [forums. The RAT appears to still be actively pushed by cybercriminals. In 2017, we reported spotting Remcos being delivered via a malicious](https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/) PowerPoint slideshow, embedded with an exploit for CVE-2017-0199. Recently, the RAT has made its way to phishing emails. The malicious actor behind the phishing email appears to use the email address rud-division@alkuhaimi[.]com (with a legitimate domain) and the subject "RE: NEW ORDER 573923". The email includes the malicious attachment using the ACE compressed file format, Purchase _order201900512.ace, which has the loader/wrapper Boom.exe._ ## Analyzing the wrapper/loader After converting the executable to AutoIt script, we found that the malicious code was obfuscated with multiple layers, possibly to evade detection and make it difficult for researchers to reverse. The top layer of obfuscation is shown in the following: ----- _Figure 1. Obfuscated core functions_ ----- _gu e_ _u ct o s used o deob uscat o_ The main goal of the Boom.exe file is to achieve persistence, perform anti-analysis detection, and drop/execute Remcos RAT on an affected system. The above snippet code first calculates the value inside the array and then uses the ChrW() function to convert the Unicode number to the character. _Figure 3. Sample of string decoding_ In some cases after decryption, the malware uses the AutoIt function called BinaryToString() to deobfuscate the next layer. The following code snippet demonstrates this behavior: _Figure 4. AutoIt Binary to String decoding_ After deobfuscation, the AutoIt code can be seen containing large amounts of junk code meant to throw analysts off the track. ----- _Figure 5. Sample of junk code_ The malware then creates a copy of itself in %AppData%\Roaming\appidapi\UevTemplateBaselineGenerator.exe and loads the main payload (Remcos RAT) from its resource section. The malware then prepares the environment to execute the main payload. It achieves this by executing the following Shellcode (frenchy_shellcode version 1). _Figure 6. Frenchy_ShellCode_001_ ----- _Figure 7. Executing and decoding Frenchy Shellcode_ _Figure 8. Frenchy Shellcode Mutant_ Decoding and loading Remcos from resources The DecData() function loads the data from its resource then reverses all data and replaces “%$=” with “/”. _Figure 9. AutoIt decoding the main payload: Code + encoded resource (Remcos RAT)_ _Figure 10. AutoIt decoding the main payload: Code only_ Then it uses the following to decode the base64 PE file, which is the main payload: **$a_call = DllCall("Crypt32.dll", "int", "CryptStringToBinary", "str", $sData, "int", 0, "int", 1, "ptr", 0, "ptr",** **DllStructGetPtr($struct, 1), "ptr", 0, "ptr", 0)** ----- _Figure 11. Decoding Remcos from AutoIt_ ## Loader features _Anti-VM_ This AutoIt loader is capable of detecting a virtual machine environment by checking vmtoolsd.exe and vbox.exe in the list of running processes. However, it should be noted that this feature is not invoked in this sample. _Figure 12. AutoIt loader’s Anti-VM_ _Bypass UAC_ Depending on the Windows version, the malware uses either the built-in Event Viewer utility (eventvwr) or fodhelper to bypass the User Account Control (UAC). ----- _Figure 13. UAC bypass_ _Anti-Debugging_ If the loader detects IsdebuggerPresent in the system, it will display the message, “This is a third-party compiled AutoIt script.” and exits the program. _Figure 14. AutoIt loader checks for a debugger_ ## Examining the main payload, Remcos RAT Originally marketed as a remote access tool that legitimately lets a user control a system remotely, Remcos RAT has since been used by cybercriminals. Once the RAT is executed, a perpetrator gains the ability to run remote commands on the user’s system. In a past campaign, [for instance, the tool was seen with a variety of capabilities, which includes downloading and executing commands, logging keys, logging](https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/) screens, and capturing audio and video using the microphone and webcam. For the analysis of this payload, we looked into the sample Remcos Professional version 1.7. _Figure 15. Remcos version_ ----- Upo e ecut o, depe d g o t e co gu at o, t e a a e c eates a copy o tse _% pp ata%\ e_ _cos\ e_ _cos e e, uses_ _sta bat to_ execute remcos.ex$ from the %APPDATA% directory, and finally deletes itself. It then creates the following Run key in the Registry to maintain persistence on the system. _Figure 16. Install.bat dropped by Remcos_ _Figure 17. Remcos RAT changes the Registry entry to maintain persistence_ _Figure 18. Reflected Remcos RAT change in the Registry_ The malware retrieves the configuration called “SETTING” from its resource section. ----- _Figure 19. Remcos loads the encrypted settings from its resources_ The content of the configuration is encrypted using the RC4 algorithm, as seen below: _Figure 20. Remcos encrypted configuration_ The following, on the other hand, is the RC4 algorithm used to decrypt the above configuration: ----- _Figure 21. RC4 algorithm to decrypt the configuration_ _Figure 22. Decrypted configuration_ The malware then creates the following mutex to mark its presence on the system: _Figure 23. Remcos RAT mutex_ It then starts to collect system information such as username, computer name, Windows version, etc., which it sends to the command and control (C&C) server. The malware encrypts the collected data using the RC4 algorithm with the password “pass” from the configuration data. ----- _Figure 24. Remcos collecting system information_ ----- _Figure 25. Clear text data collected by Remcos, where “|cmd|” is the delimiter_ _Figure 26. Data is encrypted and sent to C&C server_ ----- _Figure 27. Encrypted data_ The following list shows some of the commands supported by the malware: **Commands** **Description** **Clipboarddata** **Getclipboard** **Setclipboard** **Emptyclipboard** Clipboard manager **deletefile** Delete file(s) **downloadfromurltofile** Download a file from specified URL and execute it on an infected system **execcom** Execute a shell command **filemgr** File manager **getproclist** List the running processes **initremscript** Execute remote script from C&C **keyinput** Keylogger **msgbox** Display a message box on an infected system **openaddress** Open a specified website **OSpower** Shutdown, restart, etc. **ping** Ping an infected system (used for network check) **prockill** Kill a specific process **regopened** **regcreatekey** **regeditval** **regdelkey** **regdelval** **regopen** **initregedit** Add, edit, rename, or delete registry values and keys **scrcap** Screen capture **sendfiledata** Upload data to C&C server **uninstall** Uninstall itself from an infected system _Table 1. Remcos RAT commands_ ----- e co so ec d co a d s o t e e t gu e, o sta ce, s used to e ecute s e co a ds o a ected syste _Figure 28. Some examples of Remcos RAT’s commands_ _Figure 29. Browser/cookie-stealing feature_ After analyzing this Remcos variant — its configuration data, communication mechanism, and functionalities — we saw that it had many similarities with its older variant (detected as Backdoor.Win32.Remcosrat.A). However, this particular campaign delivers Remcos using an AutoIt wrapper, which incorporates different obfuscation and anti-debugging techniques to avoid detection. ## Prevention and Trend Micro Solutions ----- o de e d aga st t eats e e cos t at use e a based attac s, e ad se use s to e a o ope g u so c ted e a s especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately. We also recommend these best practices for added protection: [Learn how to identify phishing emails and spot indicators of unwanted emails (i.e., misspellings, odd vocabulary)](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks) Update applications and systems regularly Apply whitelisting, block unused ports, and disable unused components Monitor traffic in the system for any suspicious behavior Implementing security solutions with anti-spam filtering should weed out spam messages such as the one discussed here. The use of a [multilayered solution such as Trend Micro™ Deep Discovery™ will help provide detection, in-depth analysis, and proactive response to today’s](https://www.trendmicro.com/en_ca/business/products/network/advanced-threat-protection/deep-discovery-threat-intelligence-network-analytics.html) stealthy malware such as Remcos RAT, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect [organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation](http://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks/) [across the entire attack lifecycle. Trend Micro™ Deep Discovery™ Inspector prevents malware from reaching end users. For a more](https://www.trendmicro.com/en_ca/business/products/network/advanced-threat-protection/inspector.html) [comprehensive security suite, organizations can consider the Trend Micro™ Cloud App Security™ solution, which employs machine learning](https://www.trendmicro.com/en_ca/business/products/hybrid-cloud.html) (ML) in web reputation and URL dynamic analysis. The solution can also detect suspicious content in the message body and attachments as well as provide sandbox malware analysis and document exploit detection. **Indicators of Compromise (IoCs)** **File Name and Email** **Address** Purchase order201900512.ace Boom.exe (Loader/Wrapper) **Note** **SHA-256 Hash** **Trend Micro Pattern De** Email attachment (ACE) ACE file content (Win32 EXE) cf624ccc3313f2cb5a55d3a3d7358b4bd59aa8de7c447cdb47b70e954ffa069b Backdoor.Win32.REMC 1108ee1ba08b1d0f4031cda7e5f8ddffdc8883db758ca978a1806dae9aceffd1 Backdoor.Win32.REMC 6cf0a7a74395ee41f35eab1cb9bb6a31f66af237dbe063e97537d949abdc2ae9 BKDR_SOCMER.SM remcos.ex$ Remcos RAT (Win32 EXE) ruddivision@alkuhaimi[.]com Sender ID -----