Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Three

Part three: Configuration and commands

12 min readMalware analysis
Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Three

In previous articles in this multipart series, malware researchers on the Elastic Security Labs team analyzed REMCOS execution flow, detailing its recording capabilities and its communication with C2. In this article, you’ll learn more about REMCOS configuration structure and its C2 commands.

The configuration

In this section, we provide a comprehensive overview of the configuration fields of the malware.

Configuration Table

Researchers successfully recovered approximately 80% of the configuration structure (45 out of 56 fields). We provide detailed configuration information in the following table:

IndexNameDescription
0x0c2_listString containing “domain:port:enable_tls“ separated by the “\x1e” character
0x1botnetName of the botnet
0x2connect_intervalInterval in second between connection attempt to C2
0x3enable_install_flagInstall REMCOS on the machine host
0x4enable_hkcu_run_persistence_flagEnable setup of the persistence in the registry
0x5enable_hklm_run_persistence_flagEnable setup of the persistence in the registry
0x7keylogger_maximum_file_sizeMaximum size of the keylogging data before rotation
0x8enable_hklm_policies_explorer_run_flagEnable setup of the persistence in the registry
0x9install_parent_directoryParent directory of the install folder. Integer mapped to an hardcoded path
0xAinstall_filenameName of the REMCOS binary once installed
0xCenable_persistence_directory_and_binary_hidding_flagEnable super hiding the install directory and binary as well as setting them to read only
0xDenable_process_injection_flagEnable running the malware injected in another process
0xEmutexString used as the malware mutex and registry key
0xFkeylogger_modeSet keylogging capability. Keylogging mode, 0 = disabled, 1 = keylogging everything, 2 = keylogging specific window(s)
0x10keylogger_parent_directoryParent directory of the keylogging folder. Integer mapped to an hardcoded path
0x11keylogger_filenameFilename of the keylogged data
0x12enable_keylogger_file_encryption_flagEnable encryption RC4 of the keylogger data file
0x13enable_keylogger_file_hidding_flagEnable super hiding of the keylogger data file
0x14enable_screenshot_flagEnable screen recording capability
0x15screenshot_interval_in_minutesThe time interval in minute for capturing each screenshot
0x16enable_screenshot_specific_window_names_flagEnable screen recording for specific window names
0x17screenshot_specific_window_namesString containing window names separated by the “;” character
0x18screenshot_specific_window_names_interval_in_secondsThe time interval in second for capturing each screenshot when a specific window name is found in the current foreground window title
0x19screenshot_parent_directoryParent directory of the screenshot folder. Integer mapped to an hardcoded path
0x1Ascreenshot_folderName of the screenshot folder
0x1Benable_screenshot_encryption_flagEnable encryption of screenshots
0x23enable_audio_recording_flagEnable audio recording capability
0x24audio_recording_duration_in_minutesDuration in second of each audio recording
0x25audio_record_parent_directoryParent directory of the audio recording folder. Integer mapped to an hardcoded path
0x26audio_record_folderName of the audio recording folder
0x27disable_uac_flagDisable UAC in the registry
0x28logging_modeSet logging mode: 0 = disabled, 1 = minimized in tray, 2 = console logging
0x29connect_delay_in_secondDelay in second before the first connection attempt to the C2
0x2Akeylogger_specific_window_namesString containing window names separated by the “;” character
0x2Benable_browser_cleaning_on_startup_flagEnable cleaning web browsers’ cookies and logins on REMCOS startup
0x2Cenable_browser_cleaning_only_for_the_first_run_flagEnable web browsers cleaning only on the first run of Remcos
0x2Dbrowser_cleaning_sleep_time_in_minutesSleep time in minute before cleaning the web browsers
0x2Eenable_uac_bypass_flagEnable UAC bypass capability
0x30install_directoryName of the install directory
0x31keylogger_root_directoryName of the keylogger directory
0x32enable_watchdog_flagEnable watchdog capability
0x34licenseLicense serial
0x35enable_screenshot_mouse_drawing_flagEnable drawing the mouse on each screenshot
0x36tls_raw_certificateCertificate in raw format used with tls enabled C2 communication
0x37tls_keyKey of the certificate
0x38tls_raw_peer_certificateC2 public certificate in raw format

Integer to path mapping

REMCOS utilizes custom mapping for some of its "folder" fields instead of a string provided by the user.

We provide details of the mapping below:

ValuePath
0%Temp%
1Current malware directory
2%SystemDrive%
3%WinDir%
4%WinDir%//SysWOW64
5%ProgramFiles%
6%AppData%
7%UserProfile%
8%ProgramData%

Configuration extraction, an inside perspective

We enjoy building tools, and we'd like to take this opportunity to provide some insight into the type of tools we develop to aid in our analysis of malware families like REMCOS.

We developed a configuration extractor called "conf-tool", which not only extracts and unpacks the configuration from specific samples but can also repackage it with modifications.

First, we unpack the configuration.

The configuration is saved to the disk as a JSON document, with each field mapped to its corresponding type.

We are going to replace all the domains in the list with the IP address of our C2 emulator to initiate communication with the sample.

We are also enabling the logging mode to console (2):

Once we're done, repack everything:

And voilà, we have the console, and the sample attempts to connect to our emulator!

We are releasing a REMCOS malware configuration extractor that includes some of these features.

C2 commands

In this section, we present a list of all the commands we've reversed that are executable by the Command and Control (C2). Furthermore, we provide additional details for a select subset of commands.

Command table

Researchers recovered approximately 95% of the commands (74 out of 78). We provide information about the commands in the following table:

FunctionName
0x1HeartBeat
0x2DisableKeepAlive
0x3ListInstalledApplications
0x6ListRunningProcesses
0x7TerminateProcess
0x8ListProcessesWindows
0x9CloseWindow
0xAShowWindowMaximized
0xBShowWindowRestore
0xCTerminateProcessByWindowHandleAndListProcessesWindows
0xDExecuteShellCmd
0xEStartPipedShell
0xFExecuteProgram
0x10MaybeUploadScreenshots
0x11GetHostGeolocation
0x12GetOfflineKeyloggerInformation
0x13StartOnlineKeylogger
0x14StopOnlineKeylogger
0x15MaybeSetKeyloggerNameAndUploadData
0x16UploadKeyloggerData
0x17DeleteKeyloggerDataThenUploadIfAnythingNewInbetween
0x18CleanBrowsersCookiesAndLogins
0x1BStartWebcamModule
0x1CStopWebcamModule
0x1DEnableAudioCapture
0x1EDisableAudioCapture
0x1FStealPasswords
0x20DeleteFile
0x21TerminateSelfAndWatchdog
0x22Uninstall
0x23Restart
0x24UpdateFromURL
0x25UpdateFromC2
0x26MessageBox
0x27ShutdownOrHibernateHost
0x28UploadClipboardData
0x29SetClipboardToSpecificData
0x2AEmptyClipboardThenUploadIfAnythingInbetween
0x2BLoadDllFromC2
0x2CLoadDllFromURL
0x2DStartFunFuncModule
0x2FEditRegistry
0x30StartChatModule
0x31SetBotnetName
0x32StartProxyModule
0x34ManageService
0x8FSearchFile
0x92SetWallpaperFromC2
0x94SetWindowTextThenListProcessesWindow
0x97UploadDataFromDXDiag
0x98FileManager
0x99ListUploadScreenshots
0x9ADumpBrowserHistoryUsingNirsoft
0x9ETriggerAlarmWav
0x9FEnableAlarmOnC2Disconnect
0xA0DisableAlarmOnC2Disconnect
0xA2DownloadAlarmWavFromC2AndOptPlayIt
0xA3AudioPlayer
0xABElevateProcess
0xACEnableLoggingConsole
0xADShowWindow
0xAEHideWindow
0xB2ShellExecuteOrInjectPEFromC2OrURL
0xC5RegistrySetHlightValue
0xC6UploadBrowsersCookiesAndPasswords
0xC8SuspendProcess
0xC9ResumeProcess
0xCAReadFile
0xCBWriteFile
0xCCStartOfflineKeylogger
0xCDStopOfflineKeylogger
0xCEListProcessesTCPandUDPTables

ListInstalledApplications command

To list installed applications, REMCOS iterates over the Software\Microsoft\Windows\CurrentVersion\Uninstall registry key. For each subkey, it queries the following values:

  • DisplayName
  • Publisher
  • DisplayVersion
  • InstallLocation
  • InstallDate
  • UninstallString

ExecuteShellCmd command

Shell commands are executed using the ShellExecuteW API with cmd.exe /C {command} as arguments.

GetHostGeolocation command

To obtain host geolocation, REMCOS utilizes the geoplugin.net API and directly uploads the returned JSON data.

StartOnlineKeylogger command

The online keylogger employs the same keylogger structure as the offline version. However, instead of writing the data to the disk, the data is sent live to the C2.

StartWebcamModule command

REMCOS uses an external module for webcam recording. This module is a DLL that must be received and loaded from its C2 as part of the command parameters.

Once the module is loaded, you can send a sub-command to capture and upload a webcam picture.

StealPasswords command

Password stealing is likely carried out using 3 different Nirsoft binaries, identified by the "/sext" parameters. These binaries are received from the C2 and injected into a freshly created process. Both elements are part of the command parameters.

The /sext parameter instructs the software to write the output to a file, each output filename is randomly generated and stored in the malware installation folder. Once their contents are read and uploaded to the C2, they are deleted.

An additional DLL, with a FoxMailRecovery export, can also be utilized. Like the other binaries, the DLL is received from the C2 as part of the command parameters. As the name implies the DLLis likely to be used to dump FoxMail data

Uninstall command

The uninstall command will delete all Remcos-related files and persistence registry keys from the host machine.

First, it kills the watchdog process.

Then, it deletes all the recording files (keylogging, screenshots, and audio recordings).

Then, it deletes its registry persistence keys.

Finally, it deletes its installation files by creating and executing a Visual Basic script in the %TEMP% folder with a random filename, then terminates its process.

Below the generated script with comments.

' Continue execution even if an error occurs
On Error Resume Next

' Create a FileSystemObject
Set fso = CreateObject("Scripting.FileSystemObject")

' Loop while the specified file exists
while fso.FileExists("C:\Users\Cyril\Desktop\corpus\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe")

' Delete the specified file
fso.DeleteFile "C:\Users\Cyril\Desktop\corpus\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe"

' End of the loop
wend

' Delete the script itself
fso.DeleteFile(Wscript.ScriptFullName)

Restart command

The Restart command kills the watchdog process and restarts the REMCOS binary using a generated Visual Basic script.

Below is the generated script with comments.

' Create a WScript.Shell object and run a command in the command prompt
' The command runs the specified .exe file
' The "0" argument means the command prompt window will not be displayed
CreateObject("WScript.Shell").Run "cmd /c ""C:\Users\Cyril\Desktop\corpus\0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5.exe""", 0

' Create a FileSystemObject and delete the script itself
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)

DumpBrowserHistoryUsingNirsoft command

Like the StealPasswords command, the DumpBrowserHistoryUsingNirsoft command steals browser history using likely another Nirsoft binary received from the C2 as part of the command parameter. Again, we identify the binary as part of Nirsoft because of the /stext parameter.

ElevateProcess command

The ElevateProcess command, if the process isn’t already running with administrator privileges, will set the HKCU/SOFTWARE/{mutex}/elev registry key and restart the malware using the same method as the Restart command.

Upon restart, the REMCOS checks the elev value as part of its initialization phase. If the value exists, it'll delete it and utilize its UAC bypass feature to elevate its privileges.

That’s the end of the third article. In the final part we’ll cover detection and hunt strategies of REMCOS using Elastic technologies.