Analytics Story: Remcos

Date: 2021-09-23 ID: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

Why it matters

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Add or Set Windows Defender Exclusion	Disable or Modify Tools, Impair Defenses	TTP
Detect Outlook exe writing a zip file	Phishing, Spearphishing Attachment	TTP
Disabling Remote User Account Control	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Jscript Execution Using Cscript App	Command and Scripting Interpreter, JavaScript	TTP
Loading Of Dynwrapx Module	Process Injection, Dynamic-link Library Injection	TTP
Malicious InProcServer32 Modification	Regsvr32, Modify Registry	TTP
Non Chrome Process Accessing Chrome Default Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Office Document Executing Macro Code	Phishing, Spearphishing Attachment	TTP
Office Product Spawn CMD Process	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Windows Script Host	Phishing, Spearphishing Attachment	TTP
Possible Browser Pass View Parameter	Credentials from Web Browsers, Credentials from Password Stores	Hunting
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools, Impair Defenses	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Process Writing DynamicWrapperX	Command and Scripting Interpreter, Component Object Model	Hunting
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Regsvr32 Silent and Install Param Dll Loading	System Binary Proxy Execution, Regsvr32	Anomaly
Regsvr32 with Known Silent Switch Cmdline	System Binary Proxy Execution, Regsvr32	Anomaly
Remcos client registry install entry	Modify Registry	TTP
Remcos RAT File Creation in Remcos Folder	Screen Capture	TTP
Suspicious Image Creation In Appdata Folder	Screen Capture	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious WAV file in Appdata Folder	Screen Capture	TTP
System Info Gathering Using Dxdiag Application	Gather Victim Host Information	Hunting
Vbscript Execution Using Wscript App	Visual Basic, Command and Scripting Interpreter	TTP
Windows Defender Exclusion Registry Entry	Disable or Modify Tools, Impair Defenses	TTP
Windows ISO LNK File Creation	Spearphishing Attachment, Phishing, Malicious Link, User Execution	Hunting
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment, Phishing	Hunting
Winhlp32 Spawning a Process	Process Injection	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://success.trendmicro.com/solution/1123281-remcos-malware-information
https://attack.mitre.org/software/S0332/
[https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.](https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.)

Source: GitHub | Version: 1