Research by: Kobi Eisenkraft, Moshe Hayun, published June 19th 2019
Introduction
During the first week of June 2019, Check Point researchers encountered a new, large-scale phishing campaign targeting German companies across all industries. The hacker’s goal was to install Remcos – a remote control tool – on the victims’ computers.
Attack Flow
The attackers initially sent fake emails that appeared to be from several legitimate companies across Germany. These emails contained invoices or urgent order attachments which were actually Remcos archives attempting to connect with the attacker’s command and control (C&C) server.
The attachment is usually an archive containing an executable disguised as a PDF or other document file. The disguise is a simple comma PDF extension and folder icon.
After the victim opens the file, Remcos executes silently and gives the attacker full control over the victim’s machine.
Communication with the C&C
The attacker then covers his tracks by using DDNS (Dynamic DNS), a legitimate service for mapping Internet domain names to dynamic IP addresses. Learn more about this well-known evasion technique at: https://attack.mitre.org/techniques/T1311/.
By using free DDNS accounts, the attacker has a large number of IP addresses at their disposal and can use them to control the victims’ machines.
For example, the attacker uses https://www.noip.com/ service to create the domain ablegod.hopto[.]org.
Remcos – a Swiss Army Knife RAT
Distributed and sold as a legitimate tool by a company called “Breaking Security” on a public website, Remcos is an abbreviation for Remote Control and Surveillance and is sold on a fremium model with a pro version priced from €58 – €389.
By using Remcos, the attacker can remotely gain full control of another machine and include the following functions:
Bypass AV products and privilege escalation:
- Gain admin privileges
- Disable UAC (User Account Control)
- Maintain persistence on the targeted machine
- Run as a legitimate process (e.g. injection to Windows process)
- Run in the background, invisible to the victim
Capabilities:
- Keylogger and clipboard
- ScreenLogger
- Audio capture
- Extract passwords
Check Point products successfully protect against this campaign.
Check Point Threat Emulation is a Zero-Day Protection solution that prevents infections from zero-day malware and targeted attacks using sandboxing capabilities.
Check Point SandBlast Agent provides purpose-built advanced Zero-Day Protection capabilities to protect web browsers and endpoints, leveraging Check Point’s industry leading network protections.
Protections:
Check Point Threat Emulation:
- RAT.Win.Remcos.A
- RAT.Win.Remcos.C
- RAT.Win.Remcos.D
Check Point SandBlast Agent:
- RAT.Win.Remcos.B
The full Threat Emulation report can be found here –
https://forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html
The full SBA report can be found here –
https://forensics.checkpoint.com/remcos/index.html
A special thanks to our colleague Arie Olshtein for his contribution on this research!
Indicators of Compromise:
-
- 303b30ca9d902de72ce83e2b53a496ab2275e4ab58f1151bed1484f421ecc0fa
- 97732c98efbaba02b124439795b3b90985ee0aba906021d5c0a348c79f866230
- c0808c63274677a56177fda9f78ce04bb35e0190740acb2ed268b23a0943ef35
- a4f06a387a1c920d6ebec1098f410879fdf8d9f983209f7e8102a1c6d4b459e9
- 5a9922e81bce762658f36f7d1946a02d63c0430d0b29caf3ee5f70ab7dfd40f2
- 7a5aaecbf18cc78f77f307391716af241313f37eeb5a5fb4080c66574aa6b470
- 568172c320330ceb592add095493beee53446a0310dbf894d2f8f6a1cc4080f3
- dc607b53277b8a0b83dee0b2893d50df0edb5550f94b88381b614ddc163ebe66
- e3cc136991d5c302aeef3f75712ac93f4c4eaf88425494511aaafcfc5247fad5
- 874d254f69efa9193d96c0dbec74b5995f84f9253ba8524e0cfe0f7f612bfb62
- 3f8fa4dc5fcbef7c853a85e9abefbe78b2da3275b96a4288db871453a0a4b853
- 48813f9c61687fb59ca606160b24b1b560d43152ee8fb09692475dd8ac5871f1
- a02b84b2c2fad7ba6ccd785017e5f64fe9bd1251fc3fb3cc04175d5a904568b1
- amblessed.ddns[.]net
- ableyahweh.ddns[.]net
- uaeoffice999.warzonedns[.]com
- pmv1515.duckdns[.]org
- forbbma.ddns[.]net
- alexthomas.ddns[.]net
- timmy66.ddns[.]net
- timmy55.ddns[.]net
- ablegod.hopto[.]org