Backdoor.Win32.REMCOS.USMANEAGHD

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• %Temp%\install.vbs
• %Application Data%\chrome.exe
• %Application Data%\logs.dat → contains the information stolen from the victim

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %Temp%\install.vbs
• %Application Data%\chrome.exe

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Remcos_Mutex_Inj
• Mutex_RemWatchdog

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
localhost = %Application Data%\chrome.exe

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Remcos-RMYCW3
exepath = {Hex Values}

HKEY_CURRENT_USER\Software\Remcos-RMYCW3
licence = 6A6428FC114F6C524B8F361E81AEDEAC

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Activate Keylogger
• Capture Image
• Copy and paste text to and from clipboard
• Download Files
• Ping an address
• Send keyboard/mouse input
• Open the command prompt
• Open the event viewer
• Execute shell commands
• Execute files
• Browse directories
• Obtain file/directory attributes
• Change victim's Wallpaper
• Upload files
• Rename files
• Delete files
• Delete Directories
• Get screenshot
• Terminate processes
• Play/record audio
• Copy and paste text to and from clipboard
• Clear Browser login and cookies
• Perform registry changes
• Play alarm
• Display a messagebox
• Sends keyboard input
• Sends mouse click
• Retrieve logins and cookies from the following browsers:
  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.140.185:1990

Information Theft

This Backdoor gathers the following data:

• Computer name
• User name
• Home drive
• Logon server
• Processor architecture
• Windows version
• System type (x64, x86)
• User access (if admin or not)
• Memory information
• Browser logins and cookies
• User keystrokes
• Session name
• User profile
• User domain
• Idle time of the user (in minutes)

Other Details

This Backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Remcos-RMYCW3