What has it been dubbed? REMCOS | Remote Control & Surveillance Software
What does it do?
According to researchers at Fortinet and The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), Remote Control & Surveillance Software (REMCOS) Remote Administration Tool (RAT) was first discovered being sold in hacking forums in the second half of 2016. It was not until around February of 2017 that researchers at Fortinet observed the payload being distributed in the wild. The malware is being deployed using malicious Microsoft Office documents going by the filenames of Quotation.xls or Quotation.doc, and these are most likely attached to SPAM emails. The malware uses a malicious macro which is designed to bypass Microsoft Windows User Account Control (UAC) security and execute the malware with high privilege.
How does it do it?
REMCOS has five main tabs:
- Connections – This tab is used to monitor all active connections in the client application, there is also a list of commands that can be initiated on all infected host (shown in the figure below).
- Automatic Tasks – This tab will allow the controller of the client to send tasks to the infected host as soon as they connect, this can all be done without the physical presence of the client application.
- Local Settings – These are settings for the client side application like which TCP port to listen on and a password can be applied for encryption of network traffic.
- Builder – Creates a server binary and can be compressed with UPX or MPRESS which are used for executable file compression.
- Event Log – This will give the client information about connections that have happened between the server and an infected client or its hosts.
The latest version of REMCOS has the following capabilities:
- Automatic Tasks
- Screen Capture
- Remote Chat
- File Manager
- File Search
- Fully fledged Remote Registry Editor
- Remote Scripting
- Download & Execute function
List of Windows functions commonly used by malware and found in sample:
- GetProcAddress – Retrieves the address of a function in a DLL loaded into memory. Used to import functions from other DLLs in addition to the functions imported in the PE file header.
- GetModuleHandleA – Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
- GetModuleHandleW – Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
- GetModuleHandleExW – Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
- WideCharToMultiByte – Used to convert a Unicode string into an ASCII string.
- GetStartupInfoW – Retrieves a structure containing details about how the current process was configured to run, such as where the standard handles are directed.
- QueryPerformanceCounter – Used to retrieve the value of the hardware-based performance counter. This function is sometimes using to gather timing information as part of an anti-debugging technique. It is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
- GetTickCount – Retrieves the number of milliseconds since bootup. This function is sometimes used to gather timing information as an anti-debugging technique. GetTickCount is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
- IsDebuggerPresent – Checks to see if the current process is being debugged, often as part oan anti-debugging technique. This function is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
- LoadLibraryExW – Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.
- OutputDebugStringW – Outputs a string to a debugger if one is attached. This can be used as an anti-debugging technique.
- CreateFileW – Creates a new file or opens an existing file.
Language identified in the PE:
Remote Administration Tools (RAT) are not new tools for hackers though this particular tool is advertised to work on all versions of Windows from WinXP to Win10 on both 32-64 bit machines. This could be very dangerous if used in targeted attacks as it encompasses a wide variety of systems and requires very little technical knowledge for attackers. The tool is able to capture a victims screen, download files from the infected system, download and execute other code/software, and much more. Though this tool has been available since 2016, over that time period it has grown and improved at it capabilities, and researchers are only recently observing its use in the wild.