Are Remcos RAT procedures mitigated on this host?

This TTP was designed to emulate Remcos' execution and persistence capabilities. This TTP downloads Remcos via an ISO, using Wscript to execute a benign binary. The TTP then creates a log file to emulate browser artifact deletion and modifies the Registry with artifacts specific to Remcos.

This week, we are releasing 2 TTPs:

  • Are Remcos RAT procedures mitigated on this host?
  • Are Ursnif malware procedures mitigated on this host?

Are Remcos RAT procedures mitigated on this host?

Remcos was listed in CISA's "2021 Top Malware Strains" advisory and has been active since 2016. Remcos, short for Remote Control and Surveillance, is classified as a remote access trojan (RAT). Remcos is a closed-source tool created by a company called Breaking Security which is available for anyone to download. Remcos was observed in many malware campaigns, especially during the COVID pandemic. Remcos installs a backdoor on the victim's machine, and threat actors can issue a variety of commands on the victim, such as maintaining persistence, injecting into legitimate Windows processes, and capturing data from the victim's microphone and screen, to name a few. Malicious actors have used Remcos to steal personal data and credentials.

At a high level, some of Remcos capabilities are:

  • Initial access - Usually delivered in phishing emails as a malicious attachment either as the initial payload or as an additional payload via a stager.
  • Execution - JScript files are executed via wscript.exe to initiate the next stage or run a payload.
  • Persistence - Binary is added to Registry Run Keys or the Startup folder.
  • Privilege Escalation - UAC bypass techniques and process injection are performed for privilege escalation.
  • Defense Evasion - Performing process injection to inject into legitimate processes. Obfuscated files are also utilized to attempt to bypass detections.
  • Credential Access - Keylogging to obtain the victim's personal information or credentials.
  • Collection - Numerous activities to collect personal information and credentials from the victim: keylogging, screen capture, video capture, and audio capture.
  • Command and Control - Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.

This TTP was designed to emulate Remcos' execution, persistence and collection capabilities. Microsoft Defender may flag the Remcos installer as `Backdoor:Win32/Remcos.GA!MTB`.

Testing

Execute `Can this host mitigate procedures used in Remcos RAT?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will download an ISO file to `C:\Users\Public`, mount it, and copy the Remcos installer to $APPDATA. To emulate execution `calc.exe` is copied to $APPDATA and named `iys.exe`. This copy of calc is added to `HKCU\Microsoft\Windows\CurrentVersion\Run`. A VBS file named `install.vbs` is created to execute `iys.exe` using `Wscript.exe`. To emulate browser history deletion `log.dat` file is created in `$APPDATA\remcos`. Registry entries are created under `HKCU\Software` specific to Remcos installations. The TTP will perform a conditional check to verify if the Remcos installer named `dhl AWB 3452778287 Shipping delivery notification,pdf.exe` was written to disk. Lastly, the TTP will delete all created artifacts.

Remediation

CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Ensure antivirus signatures are up-to-date. Change the file association for JScript files to `notepad.exe` instead of `wscript.exe`, as this will prevent immediate execution if a victim double-clicks the malicious JScript file. Ensuring your current protections log suspicious `wscript.exe` processes and `registry run key` creation can help identify these malicious actions.

Are Ursnif malware procedures mitigated on this host?

At a high level, some of Ursnif capabilities are:

  • Initial access - Phishing with Office documents, replication through removable media.
  • Execution - May load malware via `mshta`, `PowerShell`, `Visual Basic`, and Native API functions.
  • Persistence - Windows Run keys and Windows services may be used.
  • Defense Evasion - Registry modification, hidden windows, process injection, and file obfuscation.
  • Credential Access - Ursnif may use API hooking to steal credentials.
  • Discovery - System information discovery, including reg key enumeration and process discovery.
  • Collection - Screen captures, browser session hijacking, and credential API hooking may be used.

This TTP was designed to emulate Ursnif's discovery and execution capabilities.

Testing

Execute `Are Ursnif malware procedures mitigated on this host?` in Operator on each host in your environment to test if you are vulnerable.

This TTP will copy a benign Windows DLL from System32 to the Desktop and rename it with a second file extension. The TTP then attempts three methods used by Ursnif to execute staged DLLs, `loaddll32.exe`, `rundll32.exe`, and `regsvr32.exe`. Next, the TTP uses `systeminfo.exe` to collect system information and staged it to a temp file in the `%AppData%\Local\Temp`.

Remediation

CISA recommends end-user awareness and training as "Immediate Actions You Can Take Now to Protect Against Malware." Ensure the organization logs process and command-line information, especially from Office and applications that can execute arbitrary code. If possible, disable Office macro execution and remove local administrators from devices.

Check out the TTP Are Ursnif malware procedures mitigated on this host?.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Are Remcos RAT procedures mitigated on this host?