AhnLab Security Emergency response Center (ASEC) has discovered circumstances of the Remcos remote control malware being distributed through an email disguised as a payslip.
As shown in Figure 1, the identified Remcos RAT was distributed under an email subject that read ‘This is a confirmation document for your payment transfer’, deceiving the readers. The attached compressed cab file contains an EXE file (Remcos RAT) disguised with a PDF file icon as shown in Figure 2.
Figure 1. Phishing email
Figure 2. Remcos RAT (.exe) within the attached compressed .cab file
As shown in Figure 3, Remcos RAT can not only perform keylogging, screenshot capturing, and controlling webcams and microphones according to the threat actor’s commands, but also enable malicious remote control such as extracting the histories and passwords saved to web browsers within the system it is installed in. [1]
As Remcos RAT is designed for remote control, it does not exhibit any malicious behaviors until commands are received from the threat actor’s server (C2). However, due to the behaviors of the offline keylogger which runs immediately after infection without any command from the C2, it can be detected with sandbox devices.
Figure 3. Various control features of the Remcos RAT’s remote control server (Remcos v2.6.0)
Figure 4 shows the Remcos RAT’s offline keylogger feature’s functions that run without any command from the C2. Specifically, it uses the SetWindowHookExA API and installs a hook procedure that monitors keyboard input events through the WH_KEYBOARD_LL argument, as shown in Figure 5.
Figure 4. Remcos RAT’s offline keylogger feature
Figure 5. Remcos RAT’s keyboard input hooking code (SetWindowsHookExA)
[Detection by MDS]
Figure 6 is the screen that shows the detection of the aforementioned Remcos RAT’s offline keylogger feature in AhnLab MDS sandbox environment. Figure 7 shows that the malicious behavior of hooking keyboard input has been detected.
Figure 6. Remcos RAT malware detected using AhnLab MDS (1)
Figure 7. Remcos RAT malware detected using AhnLab MDS (2)
RAT malware performs key malicious behaviors through the commands of the threat actor. Thus, it is characteristically difficult to be aware of said infections until the threat actor’s commands are run through communications with the server. To prevent security incidents and enable quick response upon breach, security administrators must not only use APT solutions such as MDS but also monitor abnormal behaviors occurring in endpoint environments with products such as EDR.
[IoC]
[MD5]
– 1e378b5dc586175e1b5e5931b8727ae3 (Remcos RAT v3.8.0 Pro)
[File Detection]
– Trojan/Win.Generic.R611702 (2023.10.14.00)
[Behavior Detection]
– SystemManipulation/MDP.Hooking.M10055
– Execution/MDP.Remcos.M11099
– DefenseEvasion/MDP.AntiAnalysis.M912
AhnLab MDS detects and responds to unknown threats by performing sandbox-based dynamic analysis. For more information about the product, please visit AhnLab Global (https://global.ahnlab.com).
The post Distribution of Remcos RAT Disguised as Payslip appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/58195/