Detecting indicators of Remcos RAT malware
Malware attacks sometimes begin with a phishing email that contains a malicious macro code or malicious URL link that downloads either the actual loader or the next stager to download the actual payload. Malware loader scripts are very flexible in terms of updates, encryption, and code obfuscation to bypass detections. The most prevalent loaders are window scripting languages, JScript (.js), and VBScript (.vbs).
Remcos, or Remote Control and Surveillance, is marketed as a legitimate software for remotely managing Windows systems. It is now widely used in malicious campaigns by threat actors. Remcos loader that utilizes DynamicWrapperX (dynwrapx.dll) to execute shellcode and inject Remcos RAT into the target process.
You need to design and deploy effective monitoring capabilities for Remcos exploitation activities, including searches that find file writes associated with its payload, screen capture, registry modification, UAC bypass, persistence, and data collection.
Data required
- Endpoint data
- Sysmon for Microsoft or Linux
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
Next steps
During triage, isolate the endpoint and review for source of exploitation. Capture any additional file modification events.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Detecting Remcos tool used by FIN7 with Splunk
- Splunk Security Content: Remcos