Starting a watchdog program (Remcos’ daemon program).
Adding Remcos to the auto-run group in the system registry.The workflow of Remcos is very clear that it starts many threads to perform auto-start work according to the flags defined in the configuration block. It contains but not limited to the C2’s server information, Remcos assigned name for attacker to recognize the victim, Remcos sub-key name in registry, the name of log file for recording victim’s keylogger and clipboard data, many flags telling Remcos how to start its features in the victim’s device, as well as the authentication data used to establish connection to the C2 server. The first thing Remcos does is to decrypt the configuration block, which will be referred to throughout Remcos lifetime. As shown in Figure 7, it is about to call API CreateProcessA() to create a suspended RegAsm.exe process from Lime.dll.Įvery Remcos contains an RC4 encrypted configuration block in its PE resource section, named “SETTINGS” as shown in Figure 8, where the first byte “B1” is the size of the following RC4 key that is in a red box and the rest data is the encrypted Remcos configuration block. In my testing environment, it has this file at "C:\Windows\\Microsoft.NET\Framework\v9\RegAsm.exe".Īs you may know, it needs to call several APIs to finish the process hollowing, which are: CreateProcess() with CREATE_SUSPENDED flag, WriteProcessMemory(), GetThreadContext(), SetThreadContext() and so on. In case that it fails to find the file, it exits from PowerShell without running the Remcos.Īrray = "C:\\WINDOWS\\syswow64\\" Īrray = "C:\\WINDOWS\\system32\\" Īrray = "C:\\WINDOWS\\" Īrray = "C:\\WINDOWS\\syswow64\\WindowsPowerShell\\v1.0\\" Īrray = "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\" Īrray = "C:\\Windows\\Microsoft.NET\\Framework\\v9\\" Once the function (k78er0sdfffff.o70sdaf45gfg()) is invoked, it finds “RegAsm.exe” from below locations on the victim’s device. Actually, this Dll is used to perform the process hollowing that is injecting the Remcos payload into a newly-created “RegAsm.exe” process. Next, it decompresses the Remcos payload, which will be passed to a function called "k78er0sdfffff.o70sdaf45gfg(System.String, Byte)" that is from lime.dll at the time the function is called.
According to my analysis, it first dynamically extracts another Dll from its resource section named lime.dll.
The two passed parameters are shown in “Locals”. Net Dll is named GC.dll as you can see in Figure 6.
0 kommentar(er)
