Derin Analiz - RemcosRAT | Tehdit: KRITIK

Dosya Kimligi

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
Boyut514,188 byte PE32 x86, TLS found, 6 section
UreticiBreakingSecurity.net (Remcos resmi satici sitesi)

RemcosRAT Kimlik Dogrulama

REMCOS: BreakingSecurity.net tarafindan satilan uzaktan erisim araci. Kriminal aktörler tarafindan yaygin kullanim!
Remcos v[surum]        <- surum bilgisi\nRemcos Agent initialized ( <- ajan baslangic mesaji\nRemcos restarted by watchdog! <- watchdog surecu\nBreakingSecurity.net   <- resmi Remcos gelistirici/satici sitesi

Yetenekler

KEYLOGGER:\n  Keylogger initialization failure: error\n  GetAsyncKeyState / SetWindowsHookEx\n\nCLIPBOARD:\n  GetClipboardData / EmptyClipboard\n  [End of clipboard]\n\nSES YAKALAMA:\n  d alias audio   <- MCI WinMM ses komutlari\n  close audio\n\nSCREENSHOT:\n  BitBlt          <- ekran goruntulu alma

Process Hollowing (Enjeksiyon)

NtUnmapViewOfSection  <- process memory bosalt (process hollowing)\nWriteProcessMemory    <- payload yaz\nSetThreadContext      <- thread baslangic noktasini degistir\n\n=> Process Hollowing ile mesbru surecler (svchost.exe vb.) icine gizlenir

UAC Atlatma + Persistence

UAC Bypass:\n  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\n  /v EnableLUA /t REG_DWORD /d 0 <- UAC tamamen devre disi!\n\nPersistence:\n  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\n  Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\n\nC2 Sifrelemesi:\n  BCryptGenRandom / TLS13-AES128-GCM-SHA256\n  RSA Private Key embed -> C2 iletisimi TLS 1.3 ile sifrelenir\n  pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2 <- coğrafi konum API

Tarayici Kimlik Bilgisi Hirsizligi

\AppData\Local\Google\Chrome\User Data\Default\Login Data\nRecoverCookies <- tarayici cerez kurtarma\nCookies        <- web oturumu calma

IOC

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
RATRemcosRAT (BreakingSecurity.net)
EnjeksiyonProcess Hollowing (NtUnmapViewOfSection)
UACEnableLUA=0 Registry bypass
YeteneklerKeylogger, Clipboard, Audio, Screenshot, Chrome cookies

RemcosRAT — Malware Profile

RemcosRAT - BreakingSecurity.net tarafindan lisansli satilan uzaktan erisim araci. Mesbru pentesting araci olarak satilsa da kriminal aktörler tarafindan yaygin kullanilir. Process hollowing, keylogger, clipboard/audio/screenshot izleme, Chrome kimlik bilgisi hirsizligi, UAC bypass, TLS 1.3 sifreli C2.

Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP/RC4
Target Systems
Windows
Also Known As (AKA)
Remcos, Breaking-Security

Technical Details

TCP port 2404 (varsayilan), RC4 veya XOR sifreleme, C++ ile gelistirilmis, PE injection, UAC bypass (CMSTPLUA), AMSI bypass, Anti-debug (GetTickCount/RDTSC), DGA destekli C2, Keylogger, Screenshot, Audio

Attribution / Threat Actor

Breaking Security firmasinin isvicre tabanli olmasi nedeniyle ilk gelistirme AB'de gerceklestirilmistir; ancak surekli dunya genelinde siber suclu topluluklari tarafindan kullanilmaktadir.

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — RemcosRAT
# SHA256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
TypeValueNote
sha256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
breakingsecurity.net domain &mdash; TCP active &mdash;
system.io domain &mdash; TCP active &mdash;
breakingsecurity.net domain &mdash; TCP active &mdash;
system.io domain &mdash; TCP active &mdash;
breakingsecurity.net domain &mdash; TCP active &mdash;
paint.net domain &mdash; TCP active &mdash;
americanshippingline.com domain &mdash; TCP active &mdash;
purl.org domain &mdash; TCP active &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
remcos-rat-breakingsecurity-net-sellerprocess-hollowing-ntunmapviewofsectionuac-bypass-enablelua-registrykeylogger-getasynckey-hookclipboard-getclipboarddata-monitoraudio-capture-winmm-mci-aliasscreenshot-bitblt-capturechrome-login-data-cookie-thefttls13-aes128-gcm-sha256-c2bcryptgenrandom-rsa-private-keypro-ip-api-com-geolocationwatchdog-restart-persistence