Threat Research

Remcos Teams Up with PrivateLoader to Enhance Capabilities

CTI

Researchers observed RemcosRAT using a PrivateLoader module to extend data gathering and persistence on the victim’s machine. The malware installs VB scripts, modifies the registry and uses services to restart, enabling ongoing infiltration and stealth. #RemcosRAT #PrivateLoader #Notepads #Geoplugin #DuckDNS

Keypoints

  • RemcosRAT is augmented with PrivateLoader to enhance data collection and persistence on the victim’s system.
  • The infection chain includes VBScript installation, registry edits, and service-based restart to maintain presence.
  • Runtime analysis notes indicate no files are dropped and nothing is injected into memory unless security checks pass.
  • The sample performs anti-analysis/anti-VM checks (e.g., GetSystemTimeAsFileTime, IsDebuggerPresent) to evade scrutiny.
  • Persistence relies on registry keys and services, including Run keys (HKLMRun) and other registry modifications.
  • Notepads.exe is dropped as a persistence copy of the parent executable; an install.vbs script is used in the process.
  • Credentials and sensitive data are targeted from browsers (logins.json, key3.db) and clipboard data, with keystrokes captured via keylogging hooks and memory reads.

MITRE Techniques

  • [T1059.005] Windows Script – The malware uses VBScript; ‘install VB scripts’ to install and run components.
  • [T1543.003] Windows Service – The malware sets up services to restart the malware at variable times or by control; “setting up services to restart the malware at variable times or by control”.
  • [T1112] Modify Registry – The malware modifies the registry as part of its persistence and configuration.
  • [T1547.001] Registry Run Keys/Startup Folder – Uses startup values (HKLMRun) to achieve persistence; “Startup value”: “Enable” / “HKLMRun”.
  • [T1012] Query Registry – Enumerates registry keys/values using RegEnumKeyA/W and RegEnumValueA/W.
  • [T1055] Process Injection – Uses process-related API calls (GetProcessId, GetModuleHandleA/Ex/W, CreateProcessA/W, WriteProcessMemory) to inject or manipulate processes.
  • [T1134] Access Token Manipulation – AdjustTokenPrivilege and OpenProcessToken to gain or escalate privileges.
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis/Anti-VM checks (GetSystemTimeAsFileTime, GetTickCount, IsDebuggerPresent, etc.).
  • [T1113] Screen Capture – Hooks to enable screen capture and related monitoring functions (Screenshots).
  • [T1115] Clipboard Data – Access to clipboard data as part of data collection (GetClipboardData).
  • [T1056.001] Keylogging – Keystroke capture via keyboard-related calls (GetKeyState, etc.).
  • [T1555.003] Credentials from Web Browsers – Accesses browser-stored credentials (logins.json, key3.db).
  • [T1071.001] Web Protocols – C2 communications via web protocols; GET request to geoplugin.net/json.gp and contact with nuevosremcs.duckdns.org.

Indicators of Compromise

  • [File hash] Notepads.exe (parent sample) – 27bb3968cc18fb0df5b14e6d1b805552
  • [File hash] Install.vbs – a7fe45cc57afb3dba91ab77483fffa0a
  • [Mutex] Created – Sessions1BaseNamedObjectsRmc-WRNU47
  • [IP] – 246.82.10, 237.33.50
  • [URL] – http://geoplugin.net/json.gp, http://duckdns.org
  • [Domain] – nuevosremcs.duckdns.org

Read more: https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint