Derin Analiz - RemcosRAT | Tehdit: KRITIK

Archivo Kimligi

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
Tamaño514,188 byte PE32 x86, TLS found, 6 section
UreticiBreakingSecurity.net (Remcos resmi satici sitesi)

RemcosRAT Kimlik Dogrulama

REMCOS: BreakingSecurity.net tarafindan satilan uzaktan erisim araci. Kriminal aktörler tarafindan yaygin kullanim!
Remcos v[surum]        <- surum bilgisi\nRemcos Agent initialized ( <- ajan baslangic mesaji\nRemcos restarted by watchdog! <- watchdog surecu\nBreakingSecurity.net   <- resmi Remcos gelistirici/satici sitesi

Yetenekler

KEYLOGGER:\n  Keylogger initialization failure: error\n  GetAsyncKeyState / SetWindowsHookEx\n\nCLIPBOARD:\n  GetClipboardData / EmptyClipboard\n  [End of clipboard]\n\nSES YAKALAMA:\n  d alias audio   <- MCI WinMM ses komutlari\n  close audio\n\nSCREENSHOT:\n  BitBlt          <- ekran goruntulu alma

Process Hollowing (Enjeksiyon)

NtUnmapViewOfSection  <- process memory bosalt (process hollowing)\nWriteProcessMemory    <- payload yaz\nSetThreadContext      <- thread baslangic noktasini degistir\n\n=> Process Hollowing ile mesbru surecler (svchost.exe vb.) icine gizlenir

UAC Atlatma + Persistence

UAC Bypass:\n  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\n  /v EnableLUA /t REG_DWORD /d 0 <- UAC tamamen devre disi!\n\nPersistence:\n  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\n  Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\n\nC2 Sifrelemesi:\n  BCryptGenRandom / TLS13-AES128-GCM-SHA256\n  RSA Private Key embed -> C2 iletisimi TLS 1.3 ile sifrelenir\n  pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2 <- coğrafi konum API

Tarayici Kimlik Bilgisi Hirsizligi

\AppData\Local\Google\Chrome\User Data\Default\Login Data\nRecoverCookies <- tarayici cerez kurtarma\nCookies        <- web oturumu calma

IOC

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
RATRemcosRAT (BreakingSecurity.net)
EnjeksiyonProcess Hollowing (NtUnmapViewOfSection)
UACEnableLUA=0 Registry bypass
YeteneklerKeylogger, Clipboard, Audio, Screenshot, Chrome cookies

RemcosRAT — Perfil del malware

RemcosRAT - BreakingSecurity.net tarafindan lisansli satilan uzaktan erisim araci. Mesbru pentesting araci olarak satilsa da kriminal aktörler tarafindan yaygin kullanilir. Process hollowing, keylogger, clipboard/audio/screenshot izleme, Chrome kimlik bilgisi hirsizligi, UAC bypass, TLS 1.3 sifreli C2.

Tipo de malware
RAT
Lenguaje de programación
C++
Protocolo C2
TCP/RC4
Sistemas objetivo
Windows
También conocido como (AKA)
Remcos, Breaking-Security

Detalles técnicos

TCP port 2404 (varsayilan), RC4 veya XOR sifreleme, C++ ile gelistirilmis, PE injection, UAC bypass (CMSTPLUA), AMSI bypass, Anti-debug (GetTickCount/RDTSC), DGA destekli C2, Keylogger, Screenshot, Audio

Atribución / Actor de amenaza

Breaking Security firmasinin isvicre tabanli olmasi nedeniyle ilk gelistirme AB'de gerceklestirilmistir; ancak surekli dunya genelinde siber suclu topluluklari tarafindan kullanilmaktadir.

Capacidades y comportamiento

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Lista IOC (1 indicadores)

IOC — RemcosRAT
# SHA256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
TipoValorNota
sha256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1

Servidores C2 (8 servidores registrados para esta familia)

Dirección Tipo Puerto Protocolo Estado País
breakingsecurity.net domain &mdash; TCP active &mdash;
breakingsecurity.net domain &mdash; TCP active &mdash;
breakingsecurity.net domain &mdash; TCP active &mdash;
paint.net domain &mdash; TCP active &mdash;
americanshippingline.com domain &mdash; TCP active &mdash;
purl.org domain &mdash; TCP active &mdash;
adobe.com domain &mdash; TCP active &mdash;
paint.net domain &mdash; TCP active &mdash;

Las direcciones C2 se proporcionan únicamente a partir de muestras de malware verificadas manualmente por el equipo KEYDAL. Se prohíbe el uso comercial.

Etiquetas
remcos-rat-breakingsecurity-net-sellerprocess-hollowing-ntunmapviewofsectionuac-bypass-enablelua-registrykeylogger-getasynckey-hookclipboard-getclipboarddata-monitoraudio-capture-winmm-mci-aliasscreenshot-bitblt-capturechrome-login-data-cookie-thefttls13-aes128-gcm-sha256-c2bcryptgenrandom-rsa-private-keypro-ip-api-com-geolocationwatchdog-restart-persistence