{"id":1863,"date":"2024-09-25T07:09:18","date_gmt":"2024-09-25T07:09:18","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1863"},"modified":"2025-07-29T02:57:41","modified_gmt":"2025-07-29T02:57:41","slug":"analysis-of-remcos-rat-campaign-part-2","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-remcos-rat-campaign-part-2\/","title":{"rendered":"Analysis of Remcos RAT Campaign – Part 2"},"content":{"rendered":"\n
\"Remcos<\/figure>\n\n\n\n

In our previous analysis of Remcos RAT<\/strong>, we examined the XLS variant<\/a>, this analysis will focus on a phishing email and a document (MS Word) infecting the victim’s computer with Remcos RAT payload. Remcos RAT, also known as Remote Control and Surveillance RAT, is a remote access Trojan (RAT) that enables attackers to take control and get unauthorised access to a victim’s computer. Malicious email attachments, software piracy downloads, and other social engineering techniques are frequently used to spread the malware.<\/p>\n\n\n\n

Remcos RAT is a powerful & flexible tool that attackers can modify to meet their unique needs. It has been used in a variety of cyber attacks, including financial fraud, ransomware attacks, and espionage efforts over the last 3 years. According to observations by LMNTRIX CDC from infection data, they are collaborating with other APT organisations, including APT33 and The Gorgon Group.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Infection Chain<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Target<\/strong> – Windows Platform<\/p>\n\n\n\n

Infection Vector<\/strong> – Malspam campaign, or phishing emails<\/p>\n\n\n\n

The initial vector for attacking users may vary depending on the threat actor’s motivation and targeted geography, we all know how cyber criminals perform basic reconnaissance against targets prior to attacking a range of victims with an infection vector of choice.<\/p>\n\n\n\n

Sample Information<\/strong><\/p>\n\n\n\n

Threat Name: RemcosRAT | Category: Backdoor | Classification: Exploit<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of CVE-2017-11882<\/strong><\/h3>\n\n\n\n

The Equation Editor is an exploit that refers to vulnerability in Microsoft Office’s Equation Editor component that was discovered in late 2017. The Equation Editor is a tool that allows users to insert mathematical equations into Office documents.<\/p>\n\n\n\n

The vulnerability, known as CVE-2017-11882, allowed attackers to execute arbitrary code on a victim’s computer by exploiting a buffer overflow in the Equation Editor component. An attacker could exploit this vulnerability by sending a malicious RTF document containing a specially crafted Equation Editor object to a victim via phishing emails.<\/p>\n\n\n\n

a) Phishing Email<\/strong><\/p>\n\n\n\n

Once the user opens the document, the exploit would execute at the backend, which allows the attacker to take control of the victim’s computer, steal data, and install malware. It\u2019s very dangerous because it can infect all versions of Microsoft Office released since 2000, including Office 365.<\/p>\n\n\n

\n
\"\"
Screenshot of Phishing Email<\/figcaption><\/figure>\n<\/div>\n\n\n

b) Attachment RTF Document<\/strong><\/p>\n\n\n\n

RTF (Rich Text Format) is a file format used for storing and exchanging formatted text documents between different word processing software. It was developed by Microsoft as a cross-platform document format that could be used by multiple software applications.<\/p>\n\n\n\n

Usually, the RTF document must start out with these six characters. ie: {\\rtf1 – where, 1 is the RTF version number.<\/p>\n\n\n

\n
\"\"
RTF – CVE-2017-11882 file<\/figcaption><\/figure>\n<\/div>\n\n\n

As we saw many randomized numbers in the RTF document, here we need to find out the embedded Equation Editor.3 in this document.<\/p>\n\n\n\n

RTF Header has the following representation<\/strong><\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Hardcoded RTF file<\/strong><\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Here we successfully found the hard-coded ZtIoN.3 in the document. Still using this exploit some attackers continue to use the exploit to target systems which have not been updated yet.<\/p>\n\n\n\n

Dropped Payload file<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Payload File Names<\/strong><\/p>\n\n\n\n

\n

{{<\/p>\n\n\n\n

vpviupnho[[]].[[]]exe<\/p>\n\n\n\n

13d891549b770c28273dba1d0b1124130badacc1[[]].[[]]bin<\/p>\n\n\n\n

Plueajsoxt[[]].[[]]exe<\/p>\n\n\n\n

}}<\/p>\n<\/blockquote>\n\n\n\n

 <\/p>\n\n\n\n

Indicator of Compromise for Remcos RAT<\/strong><\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

 <\/p>\n\n\n\n

Once the Remcos RAT infects your system, the following actions can be performed,<\/strong><\/p>\n\n\n\n

\u25cf Monitoring user activity from time to time,
\u25cf Stealing passwords and logging keystrokes,
\u25cf Establish remote desktop connections,
\u25cf Bypass traditional antivirus and endpoint products,
\u25cf Maintaining persistence on the targeted machine,
\u25cf Runs as a legitimate process by injecting into the Windows process,
\u25cf Gains admin privileges and disables user account control (UAC),
\u25cf Editing the registry and using reverse proxy.<\/p>\n\n\n\n

 <\/p>\n\n\n\n

MITRE ATT&CK Tactics & Techniques to detect Remcos RAT<\/strong><\/p>\n\n\n\n

ID<\/td>Tactic<\/td>Technique<\/td><\/tr>
TA0001<\/td>Initial Access<\/td>Spearphishing Attachment<\/td><\/tr>
TA0002<\/td>Execution<\/td>Windows Scripting Exploitation for Client Execution<\/td><\/tr>
TA0003<\/td>Persistence<\/td>Registry Run Keys \/ Startup Folder<\/td><\/tr>
TA0004<\/td>Privilege Escalation<\/td>Scheduled Task<\/td><\/tr>
TA0005<\/td>Defense Evasion<\/td>Modify Registry Virtualization Evasion Technique<\/td><\/tr>
TA0006<\/td>Credential Access<\/td>Credentials in Registry Credentials in Files Credential Dumping<\/td><\/tr>
TA0007<\/td>Discovery<\/td>System Network Configuration Discovery Process Discovery File and Directory Discovery Query Registry<\/td><\/tr>
TA0008<\/td>Lateral Movement<\/td>Remote file copy<\/td><\/tr>
TA0009<\/td>Collection<\/td>Automated Collections Data from Local System<\/td><\/tr>
TA0011<\/td>C&C Server<\/td>Web Protocols Standard Application Layer Protocol Uncommonly used Ports Standard Cryptographic Protocol etc.,<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

In our previous analysis of Remcos RAT, we examined the XLS variant, this analysis will focus on a phishing email and a document (MS Word) infecting the victim’s computer with Remcos RAT payload. Remcos RAT, also known as Remote Control and Surveillance RAT, is a remote access Trojan (RAT) that enables attackers to take control and get […]<\/p>\n","protected":false},"author":1,"featured_media":1872,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1863"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1863\/revisions"}],"predecessor-version":[{"id":4166,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1863\/revisions\/4166"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1872"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}