Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-09-23
  • Author: Teoderick Contreras, Splunk
  • ID: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c

Narrative

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name Technique Type
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Malicious InProcServer32 Modification Regsvr32, Modify Registry TTP
Process Deleting Its Process File Path Indicator Removal on Host TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Remcos client registry install entry Modify Registry TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Winhlp32 Spawning a Process Process Injection TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Reference

  • https://success.trendmicro.com/solution/1123281-remcos-malware-information
  • https://attack.mitre.org/software/S0332/
  • [https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.](https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.)

source | version: 1