New Wave of Remcos RAT Phishing Campaign

Morphisec Labs has detected a new wave of Remcos trojan infection. The theme of the phishing emails is again financial, this time as payment remittances sent from financial institutions. The attacker lures a user to open a malicious Excel file that contains “confidential information” which starts the infection chain.

Morphisec’s analysis has identified several services used for these phishing campaigns. They include Wells Fargo, FIS Global, and ACH Payment notifications. For example:

Figure 1: Email from Wells Fargo’s CEO with a malicious attachment

This infection contains many stages and largely depends on the C2 server, which stores the required files for each stage.

Figure 2: All stages stored in the C2.

The attacker also uses a password-protected .xls file to lower the detection rate. The password is in the phishing email, and as we can see—password protection helps:

Figure 3: The malicious attachment and first stage detection rate

In this blog post, we analyze the full attack chain used by the attacker and explain how each step works.

What is the Remcos Trojan?

Remcos is a commercial remote access trojan (RAT) developed by BreakingSecurity. Remcos has many capabilities, and a free version downloadable directly from BreakingSecurity’s website. Morphisec has previously covered Remcos as the payload in Guloader, and the payload in the Babadeda crypter.

The Remcos trojan allows attackers to quickly and easily control an infected computer, steal personal information, and surveil a victim’s activity. All this without investing time in developing a tool with remote administration capabilities.

The Infection Chain

Figure 4: Infection chain steps

The .xls file writes and executes a new .vbs file. The code inside the file executes a PowerShell command that downloads another .vbs file from a remote server. Once downloaded and saved on the disk, PowerShell executes the file. Next, the newly downloaded .vbs file connects to the C2 server again and fetches an encoded PowerShell command. This PowerShell code is responsible for downloading the next stage and decoding it. This stage contains a .NET injector and the final payload. After decoding, the PowerShell initiates the injector that introduces the final payload, known as Remcos RAT.

Technical Analysis

Analyzed Sample

.xls:  8740cdcef9e825fd5105b021e0616a1d6a41f761c92f29127cd000c8500f70e6

First Stage: .xls

Steps 2-3 in Figure 4

Figure 5: The malicious .xls file

The .xls file contains a Visual Basic code that executes once a user opens the file and enables macros. Looking inside the file reveals the logic behind the script.

Figure 6: Main VB function

First, the .vbs reads the PowerShell command that is written to F variable, a FileSystemObject CLSID to F2, and a second CLSID (Shell.Application) to F3. Next it creates a new file inside %AppData% using the CLSID object located inside F2. Finally, it writes F to that file and calls the function that executes it. It does so by creating a Shell.Application object using the second CLSID loaded and runs the newly created QAITB.vbs file.

Second Stage: .vbs Executes PowerShell Downloader

Steps 3-5 in Figure 4

Inside QAITB.vbs is a reversed PowerShell command which downloads the next stage and saves it to disk.

Figure 7: .vbs downloader

The malware uses Shell.Application CLSID again to execute the PowerShell command. The PowerShell command downloads the file from 209.127.19[.]101/win.vbs in this case, and saves it inside %Temp%\harvest.vbs which also deletes the previous file at %APPDATA%\QAITB.vbs. (See the IOCs section for more.)

Third Stage: Another.vbs Downloader

Steps 6-7 in Figure 4

The malware continues to communicate with its C2 server, requesting more files. This time the file request is made by harvest.vbs. This .vbs file is responsible for two things: 

Figure 8: Set persistence by copying the script to the Startup folder

Figure 9: Download and execute the next stage

The malware uses InternetExplorer class to create a hidden new IE window that navigates to a URL. It then extracts the command located in InnerText.

The next stage is executed using the same Shell.Application CLSID as before:

Figure 10: Powershell execution from .vbs

Which translates to:

GetObject("new:13709620-C279-11CE-A49E-444553540000").ShellExecute powershell <command>

Fourth Stage: Encoded Powershell

Steps 8-9 in Figure 4

The downloaded PowerShell command is another encoded command that translates to:

Figure 11: Decoded PowerShell command

Where g is an alias for IEX.

This command checks if the machine has an internet connection by pinging google.com. If so, it communicates with the C2 server again. The next stage is another PowerShell command executed using IEX.

Fifth Stage: Powershell Unzips Injector and FInal Payload

Steps 10-11 in Figure 4

This stage uses two large GZipped archives and extracts them. The first blob is a .NET injector. The second is the final payload injected into the target process.

The important commands in this stage are:

Figure 12: Final payload injector execution

The malware loads the extracted data located inside $JtpgNId. This is the injector. Once the injector is loaded into memory, the malware calls a toooyou.Black function that injects the payload into RegAsm.exe.

FInal Payload

At this point we get the final payload, a Remcos RAT.

Figure 13: Remcos RAT agent initialized message

In this case the configuration of the Remcos trojan is stored as a resource named SETTINGS. It is RC4 encrypted. We can extract the configuration by decrypting it using the following steps:

1. Read the first byte in the resource—this is the key length.
2. Read the next <key_length> bytes—this is the key.
3. Read the rest of the data—this is the encrypted section.
4. RC4 decrypt the encrypted section using the key.

After extracting the configuration, we can find where the stolen data was sent to:

Figure 14: Remcos decrypted configuration

This sample communicates with freshdirect.dvrlists[.]com:119.

How Do You Stop a Remcos Trojan?

A Remcos RAT is just the final component of a lengthy and sophisticated attack chain delivery process. Such attacks use advanced defense evasion techniques to sneak past cybersecurity solutions. These techniques include disabling or uninstalling security tools, and obfuscating or encrypting data and scripts. According to the latest Picus report, defense evasion is now the most popular tactic among malware operators. 

Morphisec’s patented Moving Target Defense is the best on the market for preventing defense evasion techniques. Unlike other cybersecurity solutions which focus on detecting known patterns with response playbooks, Morphisec MTD preemptively blocks attacks on memory and applications and remediates the need for response. To find out more about Morphisec’s revolutionary Moving Target Defense technology, read the white paper: Zero Trust + Moving Target Defense: Stopping Ransomware, Zero-Day, and Other Advanced Threats Where NGAV and EDR Are Failing.

Indicators of Compromise (IOCs)