After receiving numerous improvements, a Remote Administration Tool (RAT) that emerged last year on hacking forums was recently observed in live attacks, Fortinet security researchers reveal.
Dubbed Remcos, the RAT was put up for sale during the second half of 2016 and is currently available starting at $58 and going up to $389, depending on the selected license period and number of "masters" or clients. Available as version 1.7.3 at the moment, the malware is distributed via malicious Office documents named Quotation.xls or Quotation.doc, supposedly delivered via email.
The malicious documents include obfuscated macros designed to call shell commands to bypass User Account Control (UAC) and execute the malware with elevated privileges, researchers say. Abusing Event Viewer (eventvwr.exe) for privilege escalation, the UAC-bypass technique has been adopted by various threats recently, including ransomware.
The Remcos RAT includes only UPX and MPRESS1 packers to compress and obfuscate its server component, but the analyzed sample revealed an extra custom packer on top of MPRESS1, but no other obfuscation beyond this. The server component was built from the latest Remcos v1.7.3 Pro variant, which was released on Jan. 23, 2017, the developer’s website shows.
The code also revealed the commands that the server can carry out, all of which are also included in the free, stripped down client version available through the developer’s website. The Remcos Client features five main tabs, each with specific functions, namely Connections, Automatic Tasks, Local Settings, Builder, and Event Log.
Through the Connections tab, one can monitor all active connections and can view basic information on the installed server component and the infected system for each of them, Fortinet explains. What’s more, this tab allows the sending of commands to the infected system, allowing an actor to take screenshots of the targeted machine, search for files, view running processes, execute commands, log keystrokes, steal passwords, access the webcam and microphone, download and execute code, and more.
While most of the commands are common to RATs, the Automatic Tasks tab in Remcos is a feature new to applications in this category. Through it, the server component can be configured to automatically execute functions without any manual action from the client once a connection has been established. Through this feature, an actor can easily create an infiltrate-exfiltrate-exit scheme that doesn’t require manual triggers, something usually seen in spyware or malware downloaders, the security researchers say.
The Local Settings tab provides access to settings for the client side, allowing an attacker to set which ports on the client machine the server should connect to, as well as the passwords that should be used. The same password is required on both the listening port and the connecting server, because Remcos uses the password for both authentication and as a key for encrypting network traffic using a simple RC4 algorithm.
The Builder tab allows criminals wannabe to customize the parameters of the server binary. This tab features a series of sub-sections, including Connection (to set client IP addresses and ports for the server to connect to upon installation), Installation (to set installation path, autorun registries, and a watchdog module, along with a UAC bypass), Stealth (set system tray icon behavior and basic anti-analysis/anti-sandbox routines), Keylogger (set basic keylogger functions and an option to remove browser cookies and stored passwords), Surveillance (set the option to take screenshots periodically or when specific windows are active), and Build (to pack the server binary using UPX and MPRESS).
“It is possible that the attacker only used the document macro as a template to download and execute the binary, and never intended to use the script’s UAC bypass since the server binary itself already has the same function. In fact, it uses the same UAC bypass technique, but this time with an added routine to revert the modified registry after gaining privilege. This is logical, because not restoring the registry can produce system errors that can cause suspicion from the user every time an .msc file needs to be opened,” the researchers say.
The Event Log tab was meant to display connection logs with the server, as well as information regarding the client’s status (updates, ports, etc.). There is also an About tab, which contains acknowledgements and some promotions on other products by an author named Viotto.
Fortinet also points out that this RAT once again shows that one doesn’t have to be an expert to launch fairly sophisticated malware attacks: “More and more applications like Remcos are being released publicly, luring new perpetrators with their easy usage. And all it takes to be infected by one are a few clicks.”
Remcos’ author supposedly attempts to discourage malicious usage of the tool by means of license bans, but only if such misuse is reported. According to Fortinet, such claims are often “nothing but a false shield” that RAT authors use to protect themselves from liability when the application is exposed as a full-blown malware builder.