FortiSandbox
FortiSandbox provides a solution to protect against advanced threats and ransomware for companies who don’t want to implement and maintain a sandbox environment on their own.
KByteS
Staff
Staff
Article Id 357531

Summary 

 

In the ever-evolving landscape of cybersecurity, the ability to detect and analyze sophisticated malware behaviors becomes more critical than ever. FortiSandbox 5.0 (FSAv5) has significantly enhanced its capabilities with the integration of the PAIX engine and specialized hooks for .NET programs. These advancements empower security professionals to dissect malware with greater accuracy and to uncover behaviors that might otherwise remain concealed. 

 

A recent demonstration of this capability involved the detection of REMCOS, a remote access trojan that enables attackers to gain unauthorized control over compromised systems. REMCOS can steal sensitive information, log keystrokes, and capture screenshots. This malware is often distributed through phishing emails or malicious downloads, employing obfuscation techniques to evade detection and maintain persistence on infected machines.  

 

FortiSandbox plays a crucial role in identifying such threats by executing malware in a control environment that simulates real-world user interactions. This approach not only facilitates detailed behavioral analysis but also ensures that insights gained from these detections are shared across Fortinet’s Security Fabric. This article explores the innovative mechanisms of FSAv5 for identifying and understanding sophisticated malware threats like REMCOS, highlighting its vital contribution to modern cybersecurity defense strategies. 

 

 

Analysis in FSAv5 

 

The purpose of this article is to introduce the newly released FSAv5 and showcase its enhanced capabilities in detecting, analyzing, and documenting advanced malware. FSAv5 includes two key new features: the PAIX engine and improved detection for .NET programs. 

The PAIX engine enables sophisticated static malware detection, allowing deeper insight into malicious code operations. Additionally, the enhanced .NET program analysis provides greater visibility into the behavior of this increasingly common malware vector. These advancements are demonstrated through an in-depth analysis of the REMCOS remote access trojan (RAT), known for its extensive data theft capabilities.  

Visual aids, including an updated Tree View diagram (Figure 1), illustrate REMCOS’ full execution sequence. This chronological breakdown outlines the malware’s tactics and processes in detail, clearly highlighting how FSAv5’s new features identify and analyze complex, modern threats. By exploring REMCOS, this article aims at providing readers with an understanding of FSAv5’s role in defending against sophisticated malware.

 

 

 

 

treeview.PNG

 

 

Figure 1. Chain of execution provided by FSAv5

 

 

 

Additionally, suspicious indicators triggered during the analysis were recorded and categorized (Figure 2). This comprehensive documentation provides further context and aid in identifying potential malicious activities. With the enhancements in FSAv5, these indicators not only document the observed behaviors but also correlate them with specific MITRE ATT&CK techniques. This correlation provides a deeper understanding of the tactics employed by the malware. 

 

 

 

indicators.PNG

 

Figure 2. FSAv5 updated indicators page

 

 

 

The newly integrated PAIX engine in FSAv5 performs static analysis, enabling it to detect the malware without the need to execute the code. By analyzing the malware’s code structure, embedded signatures and other static properties, the PAIX engine can identify potential threats efficiently. Figure 3 shows an example of PAIX engine detection on how FSAv5 can identify malicious elements within REMCOS malware through static analysis. 

 

 

 

paix.PNG

 

Figure 3. PAIX engine detection

 

 

 

In addition to the PAIX engine, FSAv5 introduces a new capability for analyzing .NET programs, a significant enhancement given the increasing prevalence of .NET-based malware. By tracing the invocation of .NET APIs, FSAv5 can provide insight into the specific operations and actions undertaken by the malware. This feature captures a wide range of API calls, revealing how the malware interacts with the system, manipulates data and executes malicious actions. Figure 4 demonstrates the .NET analysis in action for the REMCOS malware. 

 

 

 

dotnet.PNG

 

Figure 4. .NET APIs

 

 

 

When executed, REMCOS, begins by dropping a copy of itself into the %APPDATA% folder under the name “ApplicationTrustManager.exe” to avoid detection. After establishing itself in this directory, it proceeds to execute a base64-encoding string using PowerShell. The encoded command is as follows: 

 

 

 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAHcAbwByAGsAXAA3ADQAMAAxADYAMwA1ADQANwA0ADIAMwA0ADEAOAAxADgAMwA0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXAB3AG8AcgBrAFwANwA0ADAAMQA2ADMANQA0ADcANAAyADMANAAxADgAMQA4ADMANAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAGwAaQBjAGEAdABpAG8AbgBUAHIAdQBzAHQATQBhAG4AYQBnAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAQQBwAHAAbABpAGMAYQB0AGkAbwBuAFQAcgB1AHMAdABNAGEAbgBhAGcAZQByAC4AZQB4AGUA 

 

 

 

Once decoded, the command uses the Add-MpPreference cmdlet to add both the file path and process of ApplicationTrustManager.exe to Windows Defender’s exclusion list, which appears as follows: 

 

 

 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 
Add-MpPreference -ExclusionPath REMCOS.exe; Add-MpPreference -ExclusionProcess REMCOS.exe; Add-MpPreference -ExclusionPath %AppData%\Roaming\ApplicationTrustManager.exe; Add-MpPreference -ExclusionProcess %AppData%\Roaming\ApplicationTrustManager.exe 

 

 

 

By doing so, REMCOS effectively removes itself from real-time scanning and antivirus protections provided by Windows Defender, ensuring it can operate undetected and unhindered by the system’s security defenses.  

 

Next, the malware runs a script named ApplicationTrustManager.vbs, which contains the following command to execute the REMCOS payload: 

 

 

 

CreateObject("WScript.Shell").Run  %AppData%\Roaming\ApplicationTrustManager.exe 

 

 

 

This VBScript uses the WScript.Shell object to execute ApplicationTrustManager.exe from the %APPDATA%\Roaming directory. REMCOS injects its malicious payload into a legitimate .NET process; in the observed sample, it targeted the InstallUtil.exe process. After sucessfully bypassing the previously mentioned security measures, REMCOS spawns the targeted .NET process in a suspeded state and then replaces its memory content with its own code using a technique known as process howllogin. This method conceals the malware’s presence, making it more challenging for traditional security tools to detect and remove. By embedding itself within a trusted process, REMCOS can operate under the radar while continuing its malicious activities. Figure 5 captures and logs this behavior as detected by FortiSandbox. 

 

 

 

processinject.PNG

 

 

 

Figure 5. Targeted process for code injection

 

 

Upon gaining access to the victim’s machine, REMCOS executes a range of malicious activities, including keylogging, credential theft, remote surveillance and data exfiltration. It specifically targets popular web browsers like Opera, Firefox, and Chrome, aiming to intercept sensitive data such as login credentials, browsing history, and session cookies. Figure 6 and Figure 7 demonstrate examples of REMCOScredential theft and keylogging capabilities, respectively. Through these methods, REMCOS enables account compromise and intelligence gathering. 

 

 

chromedata.JPG

 

Figure 6. Credential theft capabilities

 

 

keylogging.JPG

 

 

Figure 7. Keylogging capabilities

 

 

 

 

As illustrated in Figure 8, during the final attack phase, REMCOS establishes a connection to its command-and-control (C2) server using the identified URL. This communication channel enables threat actors to maintain persistent access to the compromised system, facilitating remote command execution and continuous data exfiltration. 

 

 

 

url.PNG

 

 

Figure 8. Command-and-Control server

 

Conclusion 

 

FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via inline scanning and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats. 

 

 

MITRE ATT&CK 

 

Note: The indicators in observed activity to each MITRE technique are relevant to analyzed campaigns and may change in future campaigns. 

 

TA0002 – Execution 

 

Technique ID 

Technique Description 

Observed Activity 

T1059.003 

A process with suspicious extension was used through ApplicationTrustManager.vbs 

The script includes code that executes ApplicationTrustManager.exe using WScript 

 

 

TA0005 – Defense Evasion 

 

Technique ID 

Technique Description 

Observed Activity 

T1562.001 

A setting for Windows Defender was modified 

The file modified Windows Defender to exclude specified files from being scanned by real-time scans and antivirus protection provided by Windows Defender. 

T1027.010 

A base64 encoded PowerShell code was executed 

REMCOS uses base64 encoding to obfuscate strings used for running PowerShell command 

T1055.012 

A file %SYSTEM%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe in suspended mode was created 

REMCOS inject its payload into a legitimate .NET process InstallUtil.exe to evade detection 

T1036.005 

A suspicious file ApplicationTrustManager.exe was installed in the %AppData% folder 

The malware drops a copy of itself into the %AppData% folder, it tries to give the drop file the name of a legitimate program. 

T1564.003 

No visible window was observed 

When REMCOS executes, it uses a hidden window to conceal malicious activities from the user. 

 

 

 

TA0011 – Command and Control 

 

Technique ID 

Technique Description 

Observed Activity 

T1571 

A connection to a remote server with non-standard port was attempted 

Command-and-control server for REMCOS RAT, http://inforaservice[.]africa 

 

 

IOC 

 

Indicator Description 

 

Indicator 

Indicator Type 

Associated Tactic 

Notes 

First Observed 

Original file 

2dc2bbe21165e0ca5cdfc929e8f482b4 

MD5 hash 

Installation 

Malicious PE file 

2024-11-05 

ef7a86dcd2a4a94572cab689dacb848b8c12b9d56d941208ee390448ff6c4b10 

SHA256 hash 

Dropped file 

2dc2bbe21165e0ca5cdfc929e8f482b4 

MD5 hash 

Installation 

Copy of the original file and placed onto %AppData% folder 

2024-11-05 

ef7a86dcd2a4a94572cab689dacb848b8c12b9d56d941208ee390448ff6c4b10 

SHA256 hash 

Malicious websites 

http://inforsaservice[.]africa 

URL 

Remote server 

REMCOS Command-and-Control (C2) server 

2024-11-05 

 

 

Additional Resources 

Further Reading on REMCOS Malware Analysis 

  • New Campaign Uses REMCOS RAT to Exploit Victims | FortiGuard Labs  – This article by the FortiGuard team provides insights into detection techniques, command-and-control behaviors, and methods used by attackers. It complements the analysis presented here by discussing specific infection vectors, payload delivery tactics, and mitigation strategies. 
Contributors