LATEST REMCOS V2.5.0 IS BEING USED BY MALWARE AUTHORS
SonicWall RTDMI ™ engine has recently detected a malware file which is using REMCOS (Remote Control & Surveillance Software) as payload. The malware is delivered to the victim’s computer as an email attachment. Archive file contains the executable file has shown below:
Unavailability of the archive file and Portable Executable (PE) file inside the archive in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:
PE Static Information:
The malware decrypts and executes highly obfuscated code in multiple layers which makes the analysis of the malware difficult for reverse engineers.
First Layer Execution:
The malware code has thousands of instruction in which only few instructions are real. The malware does not contain any decryption key to decrypt encrypted data; instead it generates the key using a fascinating logic.
The malware picks the initial DWORD of encrypted data as MarkerValue and takes a stack address as KeyValue. Malware keeps performing XOR operation on MarkerValue and KeyValue, decrementing KeyValue by 1 in each iteration until the result value matches to 0x41414141. Now the KeyValue is the actual key to decrypt the second layer code:
The malware decrypts the second layer code using the previously generated decryption key as shown below:
Second Layer Execution:
The malware reads the PEB_LDR_DATA structure from Process Environment Block (PEB) to iterate loaded modules and looks for the MSVBVM60.DLL:
The malware iterates the exports directory of MSVBVM60.DLL and looks for DllFunctionCall Application programming interface (API) by matching initial bytes of the API module. The malware now retrieves address of all required Windows APIs using the DllFunctionCall API.
The malware calls ZwSetInformationThread API by setting ThreadInformationClass argument as ThreadHideFromDebugger which detaches the debugger and terminates the process immediately, if running inside a debugger:
The Malware calls ZwGetContextThread API by setting ContextFlags argument as CONTEXT_DEBUG_REGISTERS. The API gives us the values of debug registers which are used for hardware breakpoints. The malware examines retrieved values and if it finds any hardware breakpoint, it terminates the execution:
Malware iterates in loop checking for hardware breakpoints, software breakpoints and cursor position until cursor position is changed. The malware encrypts the second layer code when it is not in use and decrypts it back when the code needs to be executed.
Bringing REMCOS in action:
The malware contains REMCOS executable’s encrypted bytes in chunks of 97 bytes and uses 0s padding after each chunk. The malware keeps count of padding bytes in a data structure. It brings all encrypted bytes which are contiguous in memory as shown below:
After completing decryption and correcting e_magic field to MZ, the malware loads and start executing the REMCOS executables.
REMCOS designed as Remote Control and Surveillance tool for legitimate purpose but it is being used by malware authors from a few years. Free edition with limited capabilities can be downloaded from the official website as shown below:
REMCOS in Action
REMCOS keeps the configuration information in the resource named as settings. The very first byte tells us the RC4 key size, followed by RC4 key which is further followed by the encrypted configuration information:
REMCOS reads the key from the resource and decrypts configuration data using RC4 algorithm which contains Command and Control (C&C) server’s IP address, port number, password, REMCOS executable’s name and key logging filename etc.:
REMCOS gathers victim’s system information which contains REMCOS executable’s name, computer name, Windows version, RAM information, REMCOS version (2.5.0 Pro), keylogging file path and CPU information etc. REMCOS uses “|cmd|” as delimiter which is as shown below:
Additional capabilities of REMCOS
- Screen Capture
- Remote CommandLine
- Remote Registry Editor
- Download, Upload and Execute files
- Logins cleaner