Subject: Engage Report: Stealthy Stalker – Remcos RAT
Tactics: TA0003 Persistence
Technique: T1543 Create or Modify System Process
Procedure:
The malware creates a new registry entry in the Run key of the Windows Registry under HKCU (HKEY_CURRENT_USER). This registry entry ensures that a PowerShell script (yrnwr.ps1) located in the System Update folder inside the misleading LocalLow directory is executed at every user login.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0016 When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation.
Engagement Opportunity:
The creation of a new registry entry in the Run key and the execution of a PowerShell script from an unusual directory (System Update folder inside the misleading LocalLow directory) can be used as an engagement opportunity. These actions can trigger alerts in a well-monitored environment, allowing defenders to investigate and potentially engage with the attacker.
Threat Actor: Remcos RAT
Threat Objective:
To gain remote access and control of infected machines for espionage, data theft, and system manipulation.
Deception Opportunity:
Defenders can create a fake “System Update” folder in the LocalLow directory containing decoy files or a honeypot. This could lure the attacker into interacting with the decoy, providing valuable intelligence about their tools, techniques, and procedures (TTPs).
Sensor Data Placement: User-Mode
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
The malware’s persistence mechanism relies on modifying the Windows Registry (HKCU Run key) and executing a PowerShell script. These observables are user-mode data and are specific to the implementation of the Create or Modify System Process technique used by Remcos RAT in this instance. Therefore, the observable level is classified as “Core to Some Implementations of (Sub-)Technique”.
Link to Report: http://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vb-script-driven-campaign/
Link to Report II.:
Additional Comments:
The attacker’s use of process injection and obfuscation techniques demonstrates an attempt to evade detection. Defenders should be vigilant and implement robust defenses to counter such threats.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: Remcos RAT Attack Graph
[1]: Persistence - Create or Modify System Process - Create a new registry entry in the Run key to execute a PowerShell script at every user login (Core to Some Implementations of (Sub-)Technique)
[2]: Defense Evasion - Obfuscated Files or Information: Obfuscation - Employ multi-layer obfuscation in the PowerShell script (Core to Adversary-Brought Tool)
[3]: Privilege Escalation - Process Injection - Inject the final Remcos payload into the memory of RegAsm.exe (Core to Sub-Technique or Technique)
1 --> 2 (Lack of System Monitoring)
2 --> 3 (Lack of System Monitoring)
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Remcos RAT Pseudocode
function Persistence_Create_or_Modify_System_Process():
# Create a new registry entry in the Run key
# Configure the entry to execute a PowerShell script at every user login
return obfuscated_PowerShell_script
function Defense_Evasion_Obfuscated_Files_or_Information(obfuscated_PowerShell_script):
# Employ multi-layer obfuscation in the PowerShell script
return process_injection_payload
function Privilege_Escalation_Process_Injection(process_injection_payload):
# Inject the Remcos payload into the memory of RegAsm.exe
return remote_access_and_control