Remcos RAT v1.3.7 Making Rounds in the Wild, Researchers Say

Remcos RAT v1.3.7 Making Rounds in the Wild, Researchers Say

It’s been a while since we last wrote about RAT-related attacks. However, this is about to change as а new RAT, Remcos, has been detected being sold on underground forums. First noticed in the second half of 2016, the malicious tool has now been updated and new features have been added.

Image: FortiNet

Its first payload was just recently distributed in the wild, as revealed by FortiNet researchers. The latest version of Remcos is v1.7.3, and it is being sold for $58-$389, depending on the license period and the maximum number of masters and clients needed, researchers say.

Related: Multi-Purpose AlienSpy RAT Attacks 400,000 International Victims

Remcos RAT 2017 Attacks

Fortinet says it discovered the RAT being distributed with the help of malicious Microsoft Office documents containing macros (filenames Quotation.xls or Quotation.doc). The structure of the documents shows a malicious document macro specifically made to bypass Microsoft Windows’ UAC security. As a result malware is executed with high privilege.

The macro contained within the documents is obfuscated. Obfuscation is done by adding garbage characters to the actual string. The macro executes a shell command that downloads and runs the particular malware.

To execute the downloaded malware with high system privilege, it utilizes an already known UAC-bypass technique. It attempts to execute it under Microsoft’s Event Viewer (eventvwr.exe) by hijacking a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it queries to find the path of the Microsoft Management Console (mmc.exe). The Event Viewer simply executes whatever is in that path. Since the macro’s shell command replaces the value from that registry entry to the malware’s location, the malware is executed instead of the legitimate mmc.exe.

Related: Obfuscation in Malware – the Key to a Successful Infection

The Remcos RAT only uses UPX and MPRESS1 packers to compress and obfuscate its server component. However the sample analyzed by Fortiner revealed an extra packer, a custom one, on top of MPRESS1. No additional obfuscation was found. As for the server component, it was created using the latest Remcos v1.7.3 Pro variant, released on January 23, 2017.

For full technical disclosure, refer to the official analysis.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.