{"id":2153,"date":"2024-09-25T11:57:08","date_gmt":"2024-09-25T11:57:08","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2153"},"modified":"2025-07-29T03:22:43","modified_gmt":"2025-07-29T03:22:43","slug":"analysis-of-remcos-rat-campaign-part-1","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-remcos-rat-campaign-part-1\/","title":{"rendered":"Analysis of Remcos RAT Campaign – Part 1"},"content":{"rendered":"\n
\"\"\/<\/figure>\n\n\n\n

Remcos is a remote access trojan (RAT), or malware that takes remote control of infected computers. A “company” called Breaking Security creates and sells this trojan to customers. Although the malware distributor claims that the REMCOS program is only available to those who intend to use it for legal purposes, Remcos RAT provides clients with all of the features required to launch potentially damaging attacks on the victim’s system.<\/p>\n\n\n\n

The malware can be purchased using various methods, and bootlegged versions of the malware are available via dark web. It can also take screenshots and record keystrokes on infected machines before exfiltrating the data to designated command & control servers.<\/p>\n\n\n\n

Typically, Remcos RAT infects a system by embedding a specially crafted file into an Office document, either a MS Word, or MS Excel document, which permits the attacker to lure the user to execute malicious code without any warning or notification. The code is in XML which allows for any binary with parameters to be executed. Further, the same code is used to download and execute the REMCOS RAT.<\/p>\n\n\n\n

In-Short:<\/strong> Remcos RAT allows full control over the victim\u2019s machine and starts collecting sensitive information.<\/p>\n\n\n\n

Language Used: .NET \/ Delphi and Powershell<\/p>\n\n\n\n

Obfuscated: With Costura Assembly Loader<\/p>\n\n\n\n

Encryption Used: RC4 Algorithm<\/p>\n\n\n\n

Sample Version: 3.x<\/p>\n\n\n\n

Infection Chain:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here, REMCOS RAT infects its victim machine by initial infection vectors of spam campaign with attachment (EML). It contains a Microsoft Office documents (Excel) document with VBA macro enabled content. They tricked the user to enable the macros to perform their action. Once the user enables the content, it will drop a txt file embedded with .js script with invoke the web-request the malicious URI for further infection.<\/p>\n\n\n\n

Sample Information:<\/strong><\/p>\n\n\n\n

Family: REMCOS RAT Campaign | Category: Dropper<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n

Sample 1: Phishing Email Content
<\/strong>EML: cdd67c6483b4ed4e08c6ae437061f18a058263d800c2299f295b03c73520446c<\/p>\n

Here, the EML comes with banking sector deposit advice receipt. Usually, many users act immediately when they receive any kind of banking related mails. Malware authors deceives the users and spread it further.<\/p>\n\n\n

\"\"<\/figure>\n\n\n\n


Sample 2: Attached XLS Document<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once the user opens the XLS document, there\u2019s an option to enable editing. This will take us to the next step of the malware\u2019s execution process.<\/p>\n\n\n\n

Enable-Content:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here, we can be able to see the macro enabled content. Basically, macro has a special function called \u201cWookbook_Active()\u201d<\/strong> which will automatically open. Its main function is to extract VBA code from the cells into a corresponding file path usually in the  \u201c%AppData%\\\u201d roaming folder and then execute it.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Dropped .TXT file:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once the user enables the macro content, the above-mentioned files are dropped in the temporary folder. Generally, .tmp files are automatically created and deleted from a computer. It\u2019s a common function. But this uses the malware author to drop another XLS file as a TMP file. Also, it will take more memory accessible to execute a task.<\/p>\n\n\n\n

For Example: If we close the XLS file, the entire .tmp files will automatically deleted. The temp folder is a prime target for malwares. Usually, malware is often attached to or embedded in legitimate programs and applications. We can see in the below screenshot. This makes us believe, there\u2019s nothing unknown\/SUS applications are running in the background.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Sample 3: Embedded JS file<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This content is clear cut about the URL but it\u2019s in String reverse format. Once we re-order it we will get the exact URL. This will help the attacker to control the victim\u2019s device and sends sensitive information to their reserved C2 server.<\/p>\n\n\n\n

Indicator of Compromise [IOC]:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Remcos IOC<\/h3>\n\n\n\n

URLs involved in the Remcos campaigns observed: <\/strong><\/p>\n\n\n\n

hxxp:\/\/209[.]127[.]19[.]101\/flip.vbs<\/p>\n\n\n\n

hxxp:\/\/209[.]127[.]19[.]101\/mem.txt<\/p>\n\n\n\n

hxxp:\/\/209[.]127[.]19[.]101\/faze.jpg<\/p>\n\n\n\n

shiestynerd[.]dvrlists[.]com:10174<\/p>\n\n\n\n

mimi44[.]ddns[.]net:2405<\/p>\n\n\n\n

harveyautos110[.]ddns[.]net:2404<\/p>\n\n\n\n

harveyautos111[.]hopto[.]org:2404<\/p>\n\n\n\n

harveyautos112[.]ddns[.]net:2404<\/p>\n\n\n\n

harvey205[.]camdvr[.]org:2404<\/p>\n\n\n\n

harvey206[.]casacam[.]net:2404<\/p>\n\n\n\n

harvey207[.]accesscam[.]org:2404<\/p>\n\n\n\n

23[.]226[.]128[.]197:2404<\/p>\n\n\n\n

achimumuazi[.]hopto[.]org:2311<\/p>\n\n\n\n

xhangzhi[.]duckdns[.]org:2404<\/p>\n\n\n\n

 <\/p>\n\n\n\n

The following registry entries were added by Remcos RAT, <\/strong><\/p>\n\n\n\n

Key: HKCU \\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/p>\n\n\n\n

Value Name: SvchostHD<\/p>\n\n\n\n

Data: %ProgramFiles%\\SvchostHD\\svchost.exe<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Key: HKCU \\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/p>\n\n\n\n

Value Name: AudioHD<\/p>\n\n\n\n

Data: %ProgramFiles%\\ AudioHD\\AudioHD.exe<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Key: HKCU \\Software\\-<\/p>\n\n\n\n

Value Name: EXEpath<\/p>\n\n\n\n

 <\/p>\n\n\n\n

Sample Hash (SHA 256 format)<\/h3>\n\n\n\n[Remcos RAT Sample Info]\n\n\n\n

8F6DD0DB9E799393A61D6C9CF6495C164E1B13CB8E6B153B32359D5F07E793D2
DA609D3211D60D5B11FEAEAA717834CBE86E18103A1ED4FC09C2EE3E1CFF9442
737E11913EFB64ACCF1B88532C7CE8606676684D8364DDD027926F9FFC6ECFFB
B263876EBC01B310A8BFC58477523981184EB7E8F2DC955F0CF8E62124EB679A
2C8B78FC6C4FE463DAC9D39FDE2871F1BB2605453BC0F2D57C7549CF5D07AA86
A1A1395D0602A473FCC81BA7D1D90C3FB154321D1721E0069722B902B1057CB0
6B816D84ACCC3E1EBCE3EF55B64B0C5E0485228790DF903E68466690E58B5009<\/p>\n\n\n\n

REMCOS Malicious IOC Collection:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Communicating files:<\/strong> dc289b0d83115834981228b3eb75ed8dd4c001d53f086c95629b4d94c6333e9d<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Conclusion<\/strong><\/p>\n\n\n\n

To conclude, LMNTRIX has explained how a phishing email delivers an MS Excel document containing malicious macro to the victim’s device. We also discussed how it executes multiple VBA scripts to download the Remcos payload and how the Remcos payload is deployed. We have described Remcos RAT workflow and the malware’s ATT&CK MATRIX for remediation.<\/p>\n\n\n\n

MITRE ATT&CK MATRIX<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Remcos is a remote access trojan (RAT), or malware that takes remote control of infected computers. A “company” called Breaking Security creates and sells this trojan to customers. Although the malware distributor claims that the REMCOS program is only available to those who intend to use it for legal purposes, Remcos RAT provides clients with […]<\/p>\n","protected":false},"author":1,"featured_media":2167,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2153"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2153\/revisions"}],"predecessor-version":[{"id":4209,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2153\/revisions\/4209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2167"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}