Full Report
Authored By Sakshi Jaiswal, Anuradha M In Q3 2024, McAfee Labs identified a sharp rise in the Remcos RAT threat.... The post The Stealthy Stalker: Remcos RAT appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: Remcos RAT
## Overview
Remcos RAT (Remote Access Trojan) gained significant attention in Q3 2024. It is used by cybercriminals for espionage, data theft, and system manipulation. It grants remote control over infected machines and is frequently delivered via phishing emails and malicious attachments.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows
- Capabilities: Remote control, data theft, system manipulation, multi-stage delivery, obfuscation, persistence mechanisms, process injection.
- First Seen: Q3 2024 (Prevalence noted in this period)
## MITRE ATT&CK Mapping
While the article details the delivery and execution, specific TTPs for the malware family generally map to:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1204.002 - User Execution: Malicious File
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied by C2 communication)
## Functionality
### Core Capabilities
- Remote access and control of infected hosts.
- Data exfiltration capabilities (implied by data theft objective).
- Delivery via VBS files leading to PowerShell execution.
- Stage multi-file downloads from C2 infrastructure (Google Drive, FTP).
### Advanced Features
- **Multi-Layer Obfuscation:** Uses highly obfuscated PowerShell for initial execution stages.
- **Conditional Downloading:** Checks for PowerShell version 2.0 to determine download source (Google Drive if 2.0, FTP if higher).
- **Use of Legitimate Tools:** Leverages FileZilla client for FTP downloads.
- **Payload Staging:** Downloads DLLs encoded within text files from PasteCode.io snippets.
- **Evasion Tactic (Directory Misleading):** Creates a deceptive directory structure (`AppData\Local\Microsoft\LocalLow`) to mimic legitimate Windows paths (`AppData\LocalLow`).
- **Persistence Mechanism:** Establishes persistence by creating a self-copy in the Startup folder and establishing a persistent registry entry under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.
- **Final Stage Execution:** Loads a .NET assembly (`ClassLibrary3.dll`) and executes a method, ultimately injecting the final Remcos payload into `RegAsm.exe` memory space.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: DLL01.txt, Entry.txt, Rumpe.txt, ClassLibrary3.dll, ClassLibrary1.dll, x3.txt, x2.ps1, yrnwr.ps1
- Registry Keys: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` (for persistence via `yrnwr.ps1`)
- Network Indicators:
- C2 URL (Reversed/Decoded): `https://koneotemarket[.]com/zst[.]txt` (Content accessed via Base64)
- FTP Server: `ftp://desckvbrat1@ftp[.]desckvbrat[.]com[.]br/Upcrypter/01/` (User: desckvbrat1, Password obscured)
- Download source (if PS 2.0): `https[:]//drive[.]google[.]com/uc?export=download&id=[ID]`
- Behavioral Indicators:
- Execution chain starts with VBS file.
- Use of long, obfuscated PowerShell commands.
- Use of FileZilla for file retrieval from FTP.
- Creation of directory structure in the misleading path: `C:\Users\<user>\AppData\Local\Microsoft\LocalLow\System Update\`
- Process injection into `RegAsm.exe`.
## Associated Threat Actors
- [Not explicitly named, but associated with sophisticated cybercriminals deploying RATs for espionage and data theft.]
## Detection Methods
- Signature-based detection: Signatures for the known dropped DLLs and final payload.
- Behavioral detection: Monitoring for VBS execution leading to highly obfuscated PowerShell, checking for system/directory manipulation behavior, rapid execution of downloaded .NET assemblies, and process injection into `RegAsm.exe`.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Email Security:** Filtering and inspecting incoming emails containing suspicious attachments (VBS files).
- **Script Execution Control:** Implementing policies to restrict or monitor PowerShell execution, especially obfuscated scripts.
- **Application Control:** Restricting unsigned execution of .NET assemblies or preventing DLL loading/invocation from unusual sources.
- **Network Monitoring:** Monitoring outbound connections to known C2 domains, unusual FTP connections, and direct access to file hosting services for payload retrieval.
- **Persistence Monitoring:** Auditing and preventing modifications to the `HKCU\...\Run` registry key, especially for entries pointing to randomized script locations.
## Related Tools/Techniques
- AsyncRAT (Mentioned in related articles, indicating a trend in RAT usage).
- Other RAT families that rely on multi-stage, obfuscated PowerShell chains for deployment.