Analyzing a Remcos RAT Infection
Welcome! Today I’ll be writing about some malware analysis I did recently. I came across a post on Brad Duncan’s website (https://www.malware-traffic-analysis.net/2022/01/04/index.html) with some information about a Remcos RAT (Remote Access Trojan) infection originating from a malicious macro-enabled excel document. Remcos was originally intended to serve as a legitimate tool for IT staff to control/administrate computers, but it has been widely abused by threat actors due to its pre-packaged nature.
I decided to dig in and do some analysis myself, purely for my own learning and experience.
Indicators of Compromise (IOC’s)
- HTTP GET request — 64.188.19.241:80 — atcn.jpg
- HTTP GET request — 104.223.119.167:80 — calient.jpg
- HTTP GET request — 13.107.42.13:80 — misc.vbs
- TLS encrypted traffic — 79.134.225.79:10174 — shiestynerd.dvrlists.com
- SHA256: b1df072eba923c472e461200b35823fde7f8e640bfb468ff5ac707369a2fa35e
- SHA256: 95c0a9e6463a2eb1bbfe3198cd4b6cd74927a209ca4ab17501c2f444494f4499
- SHA256: df6b921e5b1379747c4ab66ad27cc729f387bb2c7c1c247f3c7bc5c9e3293ec3
- SHA256: a9e4bb0982f850d37dcf3079d6f631d4f8d52d79f552711f88410ff3ae9dbd1a
Technical Analysis
Email & Malicious Excel Spreadsheet
Starting off, we have an eml file (email) to look at. This file will give us plenty of information to analyze, including the attached content, email headers, etc. We can see that there is an attached file named “Payment Remittance Advice 000000202213.xlsb”. The Content-Type field indicates that the attachment is a macro-enabled Microsoft Excel sheet, and the Content-Transfer-Encoding field indicates that the data is base64 encoded.
We can then copy this base64 encoded data into cyberchef and decode it. Doing so will reveal some more information, such as the “PK” at the beginning of the file header, indicating a ZIP archive file. Microsoft office files like word documents, powerpoints, and excel spreadsheets actually consist of multiple files in a ZIP archive. This, along with the Content_Types.xml string indicate that this is definitely an excel spreadsheet like the email headers told us.
Also using cyberchef, we can download a copy of the excel spreadsheet by clicking on the floppy disk icon in the upper right portion of the output area. Now let’s get a hash for the spreadsheet and submit it to virustotal.
Clearly this is a malicious file, with 30 vendors on virustotal identifying it as such. At this point, we should see what information we can learn about the macro embedded in the spreadsheet, as the macro is the component actually containing the malicious functionality. Using OLEtools, we can easily get an idea of how this macro is executing its malicious functions.
The olevba tool gives us some good information, indicating that the macro is using the AutoExec function to run automatically upon opening the excel spreadsheet. It also tells us that the threat actor took efforts to obfuscate the functionality of the macro.
First Stage
We can also submit this excel spreadsheet to a sandbox like Hatching Triage (https://tria.ge/) to learn more about its behavior.
The results from Hatching Triage indicate that the excel process is spawning a powershell.exe process as well as a ping.exe process, neither of which should be spawned from excel. The threat actor is using a powershell script to ping google.com to make sure the victim machine has an internet connection. If the victim does have a connection, then the script will download and execute the first stage payload, a file named “misc.vbs”. Note that the command to download the misc.vbs file is lightly obfuscated using reversed text which is then un-reversed when the script is run. This is an attempt to evade static detection by automated tools, but it will fail everytime when looked at by a good analyst.
As we can see from the image above, the victim is then downloading the misc.vbs file from the onedrive.live.com URL that we saw in the powershell script. Looking into the misc.vbs file, we can see that it is pretty heavily obfuscated, however, there is some information we can pull from it. Towards the bottom of the file there is an Execute function with a hex encoded argument, and this function argument decodes to the address for the second stage payload.
This first stage payload also establishes persistence for the second stage before it is installed by writing the second stage into the Windows registry.
Now even if the victim machine is restarted, the threat actor will still maintain a presence.
Second Stage
At this point, the victim has reached out and requested the second stage payload. Note that the data below is indicated to be JScript code. This JScript then runs powershell with the supplied hex encoded arguments.
We can take this data and decode it with cyberchef to learn about its functionality.
As indicated in the image above, the powershell script reaches out to 104.223.119.167 again, this time to download a file named “calient.jpg”. This calient.jpg file is actually a javascript file, with a DLL contained inside of it. This is described in an article from InQuest (https://inquest.net/blog/2022/01/24/analysis-remcos-rat-dropper), and in short, this DLL is the final Remcos RAT payload.
Command & Control (C2)
Following the installation of the final Remcos RAT payload, a clear pattern of C2 traffic is observable between the victim machine and a domain, “shiestynerd.dvrlists.com” at IP address 79.134.225.79.
This domain and IP address are identified as being malicious by 11 vendors on virustotal.
Conclusion
Thank you for taking the time to read my blog post! I hope you enjoyed it and got some value from it. If you did, please follow me and share this post. Also, special thanks to Dmitry Melikov from InQuest for his awesome article detailing a very similar analysis. Come back soon!
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!
