It’s been a while since we last wrote about RAT-related attacks. However, this is about to change as а new RAT, Remcos, has been detected being sold on underground forums. First noticed in the second half of 2016, the malicious tool has now been updated and new features have been added.
Its first payload was just recently distributed in the wild, as revealed by FortiNet researchers. The latest version of Remcos is v1.7.3, and it is being sold for $58-$389, depending on the license period and the maximum number of masters and clients needed, researchers say.
Remcos RAT 2017 Attacks
Fortinet says it discovered the RAT being distributed with the help of malicious Microsoft Office documents containing macros (filenames Quotation.xls or Quotation.doc). The structure of the documents shows a malicious document macro specifically made to bypass Microsoft Windows’ UAC security. As a result malware is executed with high privilege.
The macro contained within the documents is obfuscated. Obfuscation is done by adding garbage characters to the actual string. The macro executes a shell command that downloads and runs the particular malware.
To execute the downloaded malware with high system privilege, it utilizes an already known UAC-bypass technique. It attempts to execute it under Microsoft’s Event Viewer (eventvwr.exe) by hijacking a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it queries to find the path of the Microsoft Management Console (mmc.exe). The Event Viewer simply executes whatever is in that path. Since the macro’s shell command replaces the value from that registry entry to the malware’s location, the malware is executed instead of the legitimate mmc.exe.
The Remcos RAT only uses UPX and MPRESS1 packers to compress and obfuscate its server component. However the sample analyzed by Fortiner revealed an extra packer, a custom one, on top of MPRESS1. No additional obfuscation was found. As for the server component, it was created using the latest Remcos v1.7.3 Pro variant, released on January 23, 2017.
For full technical disclosure, refer to the official analysis.