Backdoor.Win32.REMCOS.USMANEAGBW

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following folders:

• %Application Data%\remcos\

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following copies of itself into the affected system:

• %Application Data%\remcos\remcos.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\install.vbs - execute the dropped malware copy
• %Application Data%\remcos\logs.dat - record of user activity\keystrokes

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %Program Files%\Internet Explorer\iexplore.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Remcos-6PE8QV
• Remcos_Mutex_Inj

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
remcos = "%Application Data%\remcos\remcos.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %Application Data%\remcos\remcos.exe"

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Remcos-{random}
exepath = "{hex values}"

HKEY_CURRENT_USER\Software\Remcos-{random}
licence = "{random}"

HKEY_CURRENT_USER\Software\Remcos-{random}
Inj = 1

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.153.18

Information Theft

This Backdoor gathers the following data:

• Computer name
• Username
• User profile
• User domain
• Home Drive
• Logon Server
• Processor Architecture
• Windows Version
• System Type (x64, x86)
• User access (if admin or not)
• Computer Memory Information (RAM, Virtual memory)

Other Details

Based on analysis of the codes, it has the following capabilities:

• Copy Directory
• Delete Directory
• Create Directory
• Move Directory
• Get Directory Information
• Get Drive Information\Status
• Get Mapped Drives
• Delete Mapped Drives
• Add Mapped Drives
• Dummy Speed Test
• Execute a command
• Run a process
• Change File Directory
• Copy File
• Link Files (Hard Link)
• Create Shortcut
• Delete File
• Check File Existence
• Enumerate Files
• Get File Attributes (Size, shortname, longname)
• Get File Location
• Delete File
• Empty Recycle Bin
• Modify File
• Install File
• Open File
• Read File
• Modify .ini files
• Activate Keylogger
• Perform Ping
• Display Messagebox
• Get Running Processes
• Terminate a Process
• Check if a process is running
• Delete Registry Key\Entry
• Enumerate Registry Key\Entry
• Modify\Add Registry Entry
• Upload Files
• Download Files
• Shutdown Affected Machine
• Put Machine to Sleep
• Play Sound
• Get active window
• Close a window
• Check if Window is open
• List windows
• Minimize windows
• Set window on top
• Move Window
• Wait for a window to be active
• Check user cookies and cache
• Clear Cookies and Cache
• Run the Command Prompt (CMD)
• Flash a window
• Obtain user Logs
• Capture Image
• Capture Audio
• Open web browser
• Send keyboard input
• Send mouse clicks
• Disable mouse\keyboard inputs
• Write text to clipboard
• Receive text from clipboard
• Clear clipboard data
• Check for CD drives
• Acquire User Passwords and Login Data