Are Remcos RAT procedures mitigated on this host?

This week, we are releasing 2 TTPs:

• Are Remcos RAT procedures mitigated on this host?
• Are Ursnif malware procedures mitigated on this host?

Are Remcos RAT procedures mitigated on this host?

Remcos was listed in CISA's "2021 Top Malware Strains" advisory and has been active since 2016. Remcos, short for Remote Control and Surveillance, is classified as a remote access trojan (RAT). Remcos is a closed-source tool created by a company called Breaking Security which is available for anyone to download. Remcos was observed in many malware campaigns, especially during the COVID pandemic. Remcos installs a backdoor on the victim's machine, and threat actors can issue a variety of commands on the victim, such as maintaining persistence, injecting into legitimate Windows processes, and capturing data from the victim's microphone and screen, to name a few. Malicious actors have used Remcos to steal personal data and credentials.

At a high level, some of Remcos capabilities are:

• Initial access - Usually delivered in phishing emails as a malicious attachment either as the initial payload or as an additional payload via a stager.
• Execution - JScript files are executed via wscript.exe to initiate the next stage or run a payload.
• Persistence - Binary is added to Registry Run Keys or the Startup folder.
• Privilege Escalation - UAC bypass techniques and process injection are performed for privilege escalation.
• Defense Evasion - Performing process injection to inject into legitimate processes. Obfuscated files are also utilized to attempt to bypass detections.
• Credential Access - Keylogging to obtain the victim's personal information or credentials.
• Collection - Numerous activities to collect personal information and credentials from the victim: keylogging, screen capture, video capture, and audio capture.
• Command and Control - Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.

This TTP was designed to emulate Remcos' execution, persistence and collection capabilities. Microsoft Defender may flag the Remcos installer as Backdoor:Win32/Remcos.GA!MTB.

Testing

Execute Can this host mitigate procedures used in Remcos RAT? in Operator on each host in your environment to test if you are vulnerable.

This TTP will download an ISO file to C:\Users\Public, mount it, and copy the Remcos installer to $APPDATA. To emulate execution calc.exe is copied to $APPDATA and named iys.exe. This copy of calc is added to HKCU\Microsoft\Windows\CurrentVersion\Run. A VBS file named install.vbs is created to execute iys.exe using Wscript.exe. To emulate browser history deletion log.dat file is created in $APPDATA\remcos. Registry entries are created under HKCU\Software specific to Remcos installations. The TTP will perform a conditional check to verify if the Remcos installer named dhl AWB 3452778287 Shipping delivery notification,pdf.exe was written to disk. Lastly, the TTP will delete all created artifacts.

Remediation

CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Ensure antivirus signatures are up-to-date. Change the file association for JScript files to notepad.exe instead of wscript.exe, as this will prevent immediate execution if a victim double-clicks the malicious JScript file. Ensuring your current protections log suspicious wscript.exe processes and registry run key creation can help identify these malicious actions.

Are Ursnif malware procedures mitigated on this host?

At a high level, some of Ursnif capabilities are:

• Initial access - Phishing with Office documents, replication through removable media.
• Execution - May load malware via mshta, PowerShell, Visual Basic, and Native API functions.
• Persistence - Windows Run keys and Windows services may be used.
• Defense Evasion - Registry modification, hidden windows, process injection, and file obfuscation.
• Credential Access - Ursnif may use API hooking to steal credentials.
• Discovery - System information discovery, including reg key enumeration and process discovery.
• Collection - Screen captures, browser session hijacking, and credential API hooking may be used.

This TTP was designed to emulate Ursnif's discovery and execution capabilities.

Testing

Execute Are Ursnif malware procedures mitigated on this host? in Operator on each host in your environment to test if you are vulnerable.

This TTP will copy a benign Windows DLL from System32 to the Desktop and rename it with a second file extension. The TTP then attempts three methods used by Ursnif to execute staged DLLs, loaddll32.exe, rundll32.exe, and regsvr32.exe. Next, the TTP uses systeminfo.exe to collect system information and staged it to a temp file in the %AppData%\Local\Temp.

Remediation

CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Ensure the organization logs process and command-line information, especially from Office and applications that can execute arbitrary code. If possible, disable Office macro execution and remove local administrators from devices.

Check out the TTP Are Ursnif malware procedures mitigated on this host?.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VVX7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza