Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-09-23
  • Author: Teoderick Contreras, Splunk
  • ID: 2bd4aa08-b9a5-40cf-bfe5-7d43f13d496c

Narrative

Remcos or Remote Control and Surveillance, marketed as a legitimate software for remotely managing Windows systems is now widely used in multiple malicious campaigns both APT and commodity malware by threat actors.

Detections

Name Technique Type
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript TTP
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection TTP
Malicious InProcServer32 Modification Regsvr32, Modify Registry TTP
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Possible Browser Pass View Parameter Credentials from Web Browsers, Credentials from Password Stores Hunting
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Process Deleting Its Process File Path Indicator Removal on Host TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Regsvr32 Silent and Install Param Dll Loading Signed Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline Signed Binary Proxy Execution, Regsvr32 Anomaly
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Remcos client registry install entry Modify Registry TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
System Info Gathering Using Dxdiag Application Gather Victim Host Information Hunting
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Winhlp32 Spawning a Process Process Injection TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Reference

  • https://success.trendmicro.com/solution/1123281-remcos-malware-information
  • https://attack.mitre.org/software/S0332/
  • [https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.](https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.)

source | version: 1