CINXE.COM
Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two — Elastic Security Labs
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two — Elastic Security Labs</title><meta name="description" content="In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2."/><meta property="og:title" content="Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two — Elastic Security Labs"/><meta property="og:description" content="In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2."/><meta property="og:image" content="https://www.elastic.co/security-labs/assets/images/dissecting-remcos-rat-part-two/Security Labs Images 21.jpg?58f9d8aaccefb580e2e30be423eaa3d4"/><meta property="og:image:alt" content="In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2."/><meta property="og:site_name"/><meta property="og:url" content="https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two — Elastic Security Labs"/><meta name="twitter:description" content="In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2."/><meta name="twitter:image" content="https://www.elastic.co/security-labs/assets/images/dissecting-remcos-rat-part-two/Security Labs Images 21.jpg?58f9d8aaccefb580e2e30be423eaa3d4"/><meta name="twitter:image:alt" content="In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2."/><link rel="canonical" href="https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two"/><link rel="preload" href="/security-labs/logo.svg" as="image" fetchpriority="high"/><link rel="preload" as="image" imageSrcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=3840&q=75 3840w" imageSizes="100vw" fetchpriority="high"/><meta name="next-head-count" content="19"/><script src="https://play.vidyard.com/embed/v4.js" type="text/javascript" async=""></script><link rel="icon" href="/security-labs/favicon.svg"/><link rel="mask-icon" href="/security-labs/favicon.svg" color="#1C1E23"/><link rel="apple-touch-icon" href="/security-labs/favicon.svg"/><meta name="theme-color" content="#1C1E23"/><link rel="preload" href="/security-labs/_next/static/media/6d93bde91c0c2823-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/a34f9d1faa5f3315-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/369c6e283c5acc6e-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/92f44bb82993d879-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/ee71530a747ff30b-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/9fac010bc1f02be0-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/cbf5fbad4d73afac-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><script id="google-tag-manager" data-nscript="beforeInteractive"> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KNJMG2M'); </script><link rel="preload" href="/security-labs/_next/static/css/265ed7605fd03477.css" as="style"/><link rel="stylesheet" href="/security-labs/_next/static/css/265ed7605fd03477.css" data-n-g=""/><link rel="preload" href="/security-labs/_next/static/css/1007ff9e696f6f88.css" as="style"/><link rel="stylesheet" href="/security-labs/_next/static/css/1007ff9e696f6f88.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/security-labs/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/security-labs/_next/static/chunks/webpack-7987c6fda769d510.js" defer=""></script><script src="/security-labs/_next/static/chunks/framework-7a7e500878b44665.js" defer=""></script><script src="/security-labs/_next/static/chunks/main-ebd33a9f1cae5951.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/_app-cb8664d1d3df2511.js" defer=""></script><script src="/security-labs/_next/static/chunks/fec483df-43ee602fabdfe3a4.js" defer=""></script><script src="/security-labs/_next/static/chunks/877-34f408271ef44c22.js" defer=""></script><script src="/security-labs/_next/static/chunks/511-d08fe0fdd6f8a984.js" defer=""></script><script src="/security-labs/_next/static/chunks/683-a5053c37fe5bd0c9.js" defer=""></script><script src="/security-labs/_next/static/chunks/402-8f632e261e10d103.js" defer=""></script><script src="/security-labs/_next/static/chunks/616-0b017b9cfa597392.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/%5Bslug%5D-b0c191de1a3710e4.js" defer=""></script><script src="/security-labs/_next/static/kahZ-cxorFKvHlgt0NoHQ/_buildManifest.js" defer=""></script><script src="/security-labs/_next/static/kahZ-cxorFKvHlgt0NoHQ/_ssgManifest.js" defer=""></script></head><body><noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript><div id="__next"><main class="__variable_0351a5 __variable_1f211e __variable_a5b5f5 flex flex-col min-h-screen"><div class="scroll-percentage-container"><div class="scroll-percentage-bar" style="width:0%"></div></div><nav class="fixed w-full z-40" data-headlessui-state=""><div class="bg-gradient-to-b from-zinc-900 from-20% h-[200%] to-transparent absolute inset-0 z-0 pointer-events-none"></div><div class="container relative z-10"><div class="flex h-16 items-center justify-between"><div class="flex items-center justify-start w-full"><div><a class="hover:opacity-50 transition" href="/security-labs"><img alt="elastic security labs logo" fetchpriority="high" width="200" height="30" decoding="async" data-nimg="1" style="color:transparent" src="/security-labs/logo.svg"/></a></div><div class="hidden lg:ml-6 lg:block"><div class="flex space-x-4"><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/about"><span>About</span></a><div class="relative" data-headlessui-state=""><div><button class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" id="headlessui-menu-button-:R2kpm:" type="button" aria-haspopup="menu" aria-expanded="false" data-headlessui-state="">Topics<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="ml-1 -mr-1 h-4 w-4 text-zinc-400 relative top-[1px]"><path fill-rule="evenodd" d="M5.23 7.21a.75.75 0 011.06.02L10 11.168l3.71-3.938a.75.75 0 111.08 1.04l-4.25 4.5a.75.75 0 01-1.08 0l-4.25-4.5a.75.75 0 01.02-1.06z" clip-rule="evenodd"></path></svg></button></div></div><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/vulnerability-updates"><span>Vulnerability updates</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/reports"><span>Reports</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/tools"><span>Tools</span></a></div></div><div class="hidden lg:ml-auto lg:block"><div class="flex items-center space-x-4"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&referrer=https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="https://www.elastic.co/security-labs/rss/feed.xml"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="h-4 w-4 mr-1"><path d="M3.75 3a.75.75 0 00-.75.75v.5c0 .414.336.75.75.75H4c6.075 0 11 4.925 11 11v.25c0 .414.336.75.75.75h.5a.75.75 0 00.75-.75V16C17 8.82 11.18 3 4 3h-.25z"></path><path d="M3 8.75A.75.75 0 013.75 8H4a8 8 0 018 8v.25a.75.75 0 01-.75.75h-.5a.75.75 0 01-.75-.75V16a6 6 0 00-6-6h-.25A.75.75 0 013 9.25v-.5zM7 15a2 2 0 11-4 0 2 2 0 014 0z"></path></svg><span class="hidden xl:block">Subscribe</span></a><a class="font-display inline-flex items-center justify-center rounded font-semibold disabled:!select-none disabled:!bg-gray-400 bg-blue-600 text-white hover:bg-blue-500 enabled:hover:text-white/80 transition-colors px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://cloud.elastic.co/registration?cta=cloud-registration&tech=trial&plcmt=navigation&pg=security-labs">Start free trial</a><a class="font-display inline-flex items-center justify-center rounded font-semibold text-white disabled:!select-none disabled:!bg-gray-400 button px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://www.elastic.co/contact">Contact sales</a></div></div></div><div class="-mr-2 flex lg:hidden"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&referrer=https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><button class="inline-flex items-center justify-center rounded-md p-2 text-gray-400 hover:bg-gray-700 hover:text-white focus:outline-none focus:ring-2 focus:ring-inset focus:ring-white" id="headlessui-disclosure-button-:R59m:" type="button" aria-expanded="false" data-headlessui-state=""><span class="sr-only">Open navigation menu</span><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="block h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5"></path></svg></button></div></div></div></nav><main class="mb-20 flex-1 flex flex-col"><div class="h-48 md:h-64"><div class="after:absolute after:block after:bg-blue-400 after:blur-3xl after:content-[' '] after:h-96 after:opacity-5 after:right-0 after:rounded-full after:top-20 after:w-1/2 after:z-0 before:absolute before:block before:blur-3xl before:bg-orange-400 before:content-[' '] before:h-96 before:left-0 before:opacity-5 before:rounded-full before:w-1/2 before:z-0 w-full h-full relative"><div class="relative z-10 w-full h-[125%] -top-[25%] bg-no-repeat bg-cover bg-bottom flex items-center justify-center" style="background-image:url(/security-labs/grid.svg)"></div></div></div><article class="px-4"><div class="max-w-7xl mx-auto relative z-10 flex flex-col space-y-4"><div class="eyebrow break-words"><time class="block mb-2 md:mb-0 md:inline-block article-published-date" dateTime="2024-04-30T00:00:00.000Z">30 April 2024</time><span class="hidden md:inline-block md:mx-2">•</span><a class="hover:text-blue-400 text-xs md:text-sm whitespace-nowrap author-name" href="/security-labs/author/cyril-francois">Cyril François</a><span class="mx-2">•</span><a class="hover:text-blue-400 text-xs md:text-sm whitespace-nowrap author-name" href="/security-labs/author/samir-bousseaden">Samir Bousseaden</a></div><h1 class="font-bold leading-tighter text-3xl md:text-5xl"><span>Dissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Two</span></h1><p class="text-zinc-200 text-base md:text-xl">Part two: Diving into REMCOS recording capabilities, launch, and C2 communication</p><div class="flex items-center mt-4 text-zinc-200 text-sm space-x-4 border-t border-white/25 pt-4"><span class="flex items-center space-x-1"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-4 w-4 text-zinc-400"><path stroke-linecap="round" stroke-linejoin="round" d="M12 6v6h4.5m4.5 0a9 9 0 11-18 0 9 9 0 0118 0z"></path></svg><span>8 min read</span></span><span class="flex items-center space-x-1"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-4 w-4 text-zinc-400"><path stroke-linecap="round" stroke-linejoin="round" d="M9.568 3H5.25A2.25 2.25 0 003 5.25v4.318c0 .597.237 1.17.659 1.591l9.581 9.581c.699.699 1.78.872 2.607.33a18.095 18.095 0 005.223-5.223c.542-.827.369-1.908-.33-2.607L11.16 3.66A2.25 2.25 0 009.568 3z"></path><path stroke-linecap="round" stroke-linejoin="round" d="M6 6h.008v.008H6V6z"></path></svg><span><a class="hover:text-blue-400 whitespace-nowrap" href="/security-labs/category/malware-analysis">Malware analysis</a></span></span></div></div><div class="max-w-7xl mx-auto"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 sm:p-8 md:p-10 rounded-3xl mt-5 md:mt-10"><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two" fetchpriority="high" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=640&q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=750&q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=828&q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=1080&q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=1200&q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=1920&q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=2048&q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=3840&q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fdissecting-remcos-rat-part-two%2FSecurity%20Labs%20Images%2021.jpg&w=3840&q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div><div class="lg:max-w-7xl mx-auto relative mt-12 lg:grid lg:grid-cols-4 lg:gap-8 items-start"><div class="flex justify-center lg:col-span-3"><div class="prose lg:prose-lg prose-invert w-full article-content"><div><p>In the <a href="https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one">previous article</a> in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2.</p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="starting-watchdog" class="absolute -top-32"></span>Starting watchdog</h2> <p>If the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_watchdog_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x32</code>) is enabled, the REMCOS will activate its watchdog feature.</p> <p></p> <p>This feature involves the malware launching a new process, injecting itself into it, and monitoring the main process. The goal of the watchdog is to restart the main process in case it gets terminated. The main process can also restart the watchdog if it gets terminated.</p> <p></p> <p>The target binary for watchdog injection is selected from a hardcoded list, choosing the first binary for which the process creation and injection are successful:</p> <ul> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">svchost.exe</code></li> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">rmclient.exe</code></li> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">fsutil.exe</code></li> </ul> <p></p> <p>In this example, the watchdog process is <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">svchost.exe</code>.</p> <p></p> <p>The registry value <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">HKCU/SOFTWARE/{MUTEX}/WD</code> is created before starting the watchdog process and contains the main process PID.</p> <p></p> <p>Once REMCOS is running in the watchdog process, it takes a "special" execution path by verifying if the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">WD</code> value exists in the malware registry key. If it does, the value is deleted, and the monitoring procedure function is invoked.</p> <p></p> <p>It is worth noting that the watchdog process has a special mutex to differentiate it from the main process mutex. This mutex string is derived from the configuration (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0xE</code>) and appended with <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">-W</code>.</p> <p></p> <p></p> <p>When the main process is terminated, the watchdog detects it and restarts it using the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">ShellExecuteW</code> API with the path to the malware binary retrieved from the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">HKCU/SOFTWARE/{mutex}/exepath</code> registry key</p> <p></p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="starting-recording-threads" class="absolute -top-32"></span>Starting recording threads</h2> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="keylogging-thread" class="absolute -top-32"></span>Keylogging thread</h3> <p>The offline keylogger has two modes of operation:</p> <ol> <li>Keylog everything</li> <li>Enable keylogging when specific windows are in the foreground</li> </ol> <p>When the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">keylogger_mode</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0xF</code>) field is set to 1 or 2 in the configuration, REMCOS activates its "Offline Keylogger" capability.</p> <p></p> <p>Keylogging is accomplished using the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">SetWindowsHookExA</code> API with the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">WH_KEYBOARD_LL</code> constant.</p> <p></p> <p>The file where the keylogging data is stored is built using the following configuration fields:</p> <ul> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">keylogger_root_directory</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x31</code>)</li> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">keylogger_parent_directory</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x10</code>)</li> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">keylogger_filename</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x11</code>)</li> </ul> <p>The keylogger file path is <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">{keylogger_root_directory}/{keylogger_parent_directory}/{keylogger_filename}</code>. In this case, it will be <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">%APPDATA%/keylogger.dat</code>.</p> <p></p> <p></p> <p>The keylogger file can be encrypted by enabling the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_keylogger_file_encryption_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x12</code>) flag in the configuration. It will be encrypted using the RC4 algorithm and the configuration key.</p> <p></p> <p>The file can also be made super hidden by enabling the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_keylogger_file_hiding_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x13</code>) flag in the configuration.</p> <p>When using the second keylogging mode, you need to set the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">keylogger_specific_window_names</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x2A</code>) field with strings that will be searched in the current foreground window title every 5 seconds.</p> <p></p> <p>Upon a match, keylogging begins. Subsequently, the current foreground window is checked every second to stop the keylogger if the title no longer contains the specified strings.</p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="screen-recording-threads" class="absolute -top-32"></span>Screen recording threads</h3> <p>When the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_screenshot_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x14</code>) is enabled in the configuration, REMCOS will activate its screen recording capability.</p> <p></p> <p>To take a screenshot, REMCOS utilizes the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">CreateCompatibleBitmap</code> and the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">BitBlt</code> Windows APIs. If the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_screenshot_mouse_drawing_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x35</code>) flag is enabled, the mouse is also drawn on the bitmap using the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">GetCursorInfo</code>, <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">GetIconInfo</code>, and the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">DrawIcon</code> API.</p> <p></p> <p></p> <p>The path to the folder where the screenshots are stored is constructed using the following configuration:</p> <ul> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">screenshot_parent_directory</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x19</code>)</li> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">screenshot_folder</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x1A</code>)</li> </ul> <p>The final path is <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">{screenshot_parent_directory}/{screenshot_folder}</code>.</p> <p>REMCOS utilizes the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">screenshot_interval_in_minutes</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x15</code>) field to capture a screenshot every X minutes and save it to disk using the following format string: <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">time_%04i%02i%02i_%02i%02i%02i</code>.</p> <p></p> <p>Similarly to keylogging data, when the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_screenshot_encryption_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x1B</code>) is enabled, the screenshots are saved encrypted using the RC4 encryption algorithm and the configuration key.</p> <p>At the top, REMCOS has a similar "specific window" feature for its screen recording as its keylogging capability. When the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_screenshot_specific_window_names_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x16</code>) is set, a second screen recording thread is initiated.</p> <p></p> <p>This time, it utilizes the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">screenshot_specific_window_names</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x17</code>) list of strings to capture a screenshot when the foreground window title contains one of the specified strings. Screenshots are taken every X seconds, as specified by the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">screenshot_specific_window_names_interval_in_seconds</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x18</code>) field.</p> <p>In this case, the screenshots are saved on the disk using a different format string: <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">wnd_%04i%02i%02i_%02i%02i%02i</code>. Below is an example using ["notepad"] as the list of specific window names and setting the Notepad process window in the foreground.</p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="audio-recording-thread" class="absolute -top-32"></span>Audio recording thread</h3> <p>When the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">enable_audio_recording_flag</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x23</code>) is enabled, REMCOS initiates its audio recording capability.</p> <p></p> <p>The recording is conducted using the Windows <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">Wave*</code> API. The duration of the recording is specified in minutes by the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">audio_recording_duration_in_minutes</code> (<code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x24</code>) configuration field.</p> <p></p> <p>After recording for X minutes, the recording file is saved, and a new recording begins. REMCOS uses the following configuration fields to construct the recording folder path:</p> <ul> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">audio_record_parent_directory</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x25</code>)</li> <li><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">audio_record_folder</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x26</code>)</li> </ul> <p>The final path is <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">{audio_record_parent_directory}/{audio_record_folder}</code>. In this case, it will be <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">C:\MicRecords</code>. Recordings are saved to disk using the following format: <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">%Y-%m-%d %H.%M.wav</code>.</p> <p></p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="communication-with-the-c2" class="absolute -top-32"></span>Communication with the C2</h2> <p>After initialization, REMCOS initiates communication with its C2. It attempts to connect to each domain in its <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">c2_list</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x0</code>) until one responds.</p> <p>According to previous research, communication can be encrypted using TLS if enabled for a specific C2. In such cases, the TLS engine will utilize the <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">tls_raw_certificate</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x36</code>), <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">tls_key</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x37</code>), and <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">tls_raw_peer_certificate</code> (index <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">0x38</code>) configuration fields to establish the TLS tunnel.</p> <p>It's important to note that in this scenario, only one peer certificate can be provided for multiple TLS-enabled C2 domains. As a result, it may be possible to identify other C2s using the same certificate.</p> <p>Once connected we received our first packet:</p> <p></p> <p>As <a href="https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing">described in depth by Fortinet</a>, the protocol hasn't changed, and all packets follow the same structure:</p> <ul> <li>(orange)<code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">magic_number</code>: <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">\x24\x04\xff\x00</code></li> <li>(red)<code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">data_size</code>: <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">\x40\x03\x00\x00</code></li> <li>(green)<code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">command_id</code> (number): <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">\0x4b\x00\x00\x00</code></li> <li>(blue)data fields separated by <code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">|\x1e\x1e\1f|</code></li> </ul> <p>After receiving the first packet from the malware, we can send our own command using the following functions.</p> <pre><code>MAGIC = 0xFF0424 SEPARATOR = b"\x1e\x1e\x1f|" def build_command_packet(command_id: int, command_data: bytes) -> bytes: return build_packet(command_id.to_bytes(4, byteorder="little") + command_data) def build_packet(data: bytes) -> bytes: packet = MAGIC.to_bytes(4, byteorder="little") packet += len(data).to_bytes(4, byteorder="little") packet += data return packet</code></pre> <p>Here we are going to change the title of a Notepad window using the command 0x94, passing as parameters its window handle (329064) and the text of our choice.</p> <pre><code>def main() -> None: server_0 = nclib.TCPServer(("192.168.204.1", 8080)) for client in server_0: print(client.recv_all(5)) client.send(build_command_packet( 0x94, b"329064" + SEPARATOR + "AM_I_A_JOKE_TO_YOU?".encode("utf-16-le")))</code></pre> <p></p> <p>That’s the end of the second article. The third part will cover REMCOS' configuration and its C2 commands.</p></div></div></div><div class="hidden lg:flex lg:col-span-1 text-sm lg:flex-col lg:space-y-6"><div class="toc"><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">Jump to section</h4><ul class="flex flex-col space-y-2"><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/dissecting-remcos-rat-part-two#starting-watchdog"><span>Starting watchdog</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/dissecting-remcos-rat-part-two#starting-recording-threads"><span>Starting recording threads</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-4" href="/security-labs/dissecting-remcos-rat-part-two#keylogging-thread"><span>Keylogging thread</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-4" href="/security-labs/dissecting-remcos-rat-part-two#screen-recording-threads"><span>Screen recording threads</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-4" href="/security-labs/dissecting-remcos-rat-part-two#audio-recording-thread"><span>Audio recording thread</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/dissecting-remcos-rat-part-two#communication-with-the-c2"><span>Communication with the C2</span></a></li></ul></div><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl"><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">Elastic Security Labs Newsletter</h4><div><a target="_blank" class="button inline-flex" href="https://www.elastic.co/elastic-security-labs/newsletter?utm_source=security-labs">Sign Up</a></div></div></div></div><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl my-5 md:my-10 max-w-3xl mx-auto flex flex-col items-center shadow-2xl"><h4 class="font-bold leading-tight text-lg md:text-2xl">Share this article</h4><div class="flex flex-wrap items-center justify-center mt-4 space-x-4"><a class="flex items-center space-x-2 button" href="https://twitter.com/intent/tweet?text=Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two&url=https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Twitter" title="Share this article on Twitter"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>Twitter</span></a><a class="flex items-center space-x-2 button" href="https://www.facebook.com/sharer/sharer.php?u=https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Facebook" title="Share this article on Facebook"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M22.5 12c0-5.799-4.701-10.5-10.5-10.5S1.5 6.201 1.5 12c0 5.301 3.901 9.699 9 10.401V14.4h-2.7v-2.7h2.7v-2.1c0-2.7 1.8-4.2 4.2-4.2 1.2 0 2.1.1 2.4.2v2.4h-1.5c-1.2 0-1.5.6-1.5 1.5v1.8h3l-.3 2.7h-2.7V22C18.599 21.3 22.5 17.301 22.5 12z"></path></svg><span>Facebook</span></a><a class="flex items-center space-x-2 button" href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two&title=Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two" target="_blank" rel="noopener noreferrer" aria-label="Share this article on LinkedIn" title="Share this article on LinkedIn"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M19 0h-14c-2.761 0-5 2.239-5 5v14c0 2.761 2.239 5 5 5h14c2.762 0 5-2.239 5-5v-14c0-2.761-2.238-5-5-5zm-11 19h-3v-11h3v11zm-1.5-12.268c-.966 0-1.75-.79-1.75-1.764s.784-1.764 1.75-1.764 1.75.79 1.75 1.764-.783 1.764-1.75 1.764zm13.5 12.268h-3v-5.604c0-3.368-4-3.113-4 0v5.604h-3v-11h3v1.765c1.396-2.586 7-2.777 7 2.476v6.759z"></path></svg><span>LinkedIn</span></a><a class="flex items-center space-x-2 button" href="https://reddit.com/submit?url=https://www.elastic.co/security-labs/dissecting-remcos-rat-part-two&title=Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Reddit" title="Share this article on Reddit"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill-rule="evenodd" clip-rule="evenodd" d="M24 12C24 18.6274 18.6274 24 12 24C5.37258 24 0 18.6274 0 12C0 5.37258 5.37258 0 12 0C18.6274 0 24 5.37258 24 12ZM19.6879 11.0584C19.8819 11.3352 19.9916 11.6622 20.004 12C20.0091 12.3306 19.9205 12.656 19.7485 12.9384C19.5765 13.2208 19.3281 13.4488 19.032 13.596C19.0455 13.7717 19.0455 13.9483 19.032 14.124C19.032 16.812 15.9 18.996 12.036 18.996C8.172 18.996 5.04 16.812 5.04 14.124C5.02649 13.9483 5.02649 13.7717 5.04 13.596C4.80919 13.49 4.6042 13.335 4.43923 13.1419C4.27427 12.9487 4.15327 12.722 4.08462 12.4775C4.01598 12.2329 4.00133 11.9764 4.04169 11.7256C4.08205 11.4748 4.17646 11.2358 4.31837 11.0251C4.46028 10.8145 4.6463 10.6372 4.86354 10.5056C5.08078 10.3739 5.32404 10.2911 5.57646 10.2629C5.82889 10.2346 6.08444 10.2616 6.32541 10.3419C6.56638 10.4222 6.78701 10.5539 6.972 10.728C8.35473 9.79023 9.98146 9.27718 11.652 9.252L12.54 5.088C12.55 5.03979 12.5694 4.99405 12.5972 4.95341C12.625 4.91277 12.6605 4.87805 12.7018 4.85127C12.7431 4.82448 12.7894 4.80615 12.8378 4.79735C12.8862 4.78855 12.9359 4.78945 12.984 4.8L15.924 5.388C16.0676 5.14132 16.2944 4.9539 16.5637 4.85937C16.833 4.76484 17.1272 4.7694 17.3934 4.87222C17.6597 4.97505 17.8806 5.1694 18.0164 5.42041C18.1523 5.67141 18.1942 5.96262 18.1348 6.24177C18.0753 6.52092 17.9182 6.76972 17.6918 6.94352C17.4654 7.11732 17.1845 7.20473 16.8995 7.19006C16.6144 7.1754 16.3439 7.05962 16.1366 6.8635C15.9292 6.66738 15.7985 6.40378 15.768 6.12L13.2 5.58L12.42 9.324C14.0702 9.3594 15.6749 9.87206 17.04 10.8C17.2839 10.566 17.5902 10.4074 17.9221 10.3436C18.254 10.2797 18.5973 10.3132 18.9106 10.4401C19.2239 10.5669 19.4939 10.7817 19.6879 11.0584ZM8.20624 12.5333C8.07438 12.7307 8.004 12.9627 8.004 13.2C8.004 13.5183 8.13043 13.8235 8.35547 14.0485C8.58051 14.2736 8.88574 14.4 9.204 14.4C9.44134 14.4 9.67335 14.3296 9.87068 14.1978C10.068 14.0659 10.2218 13.8785 10.3127 13.6592C10.4035 13.4399 10.4272 13.1987 10.3809 12.9659C10.3346 12.7331 10.2204 12.5193 10.0525 12.3515C9.8847 12.1836 9.67089 12.0694 9.43811 12.0231C9.20533 11.9768 8.96405 12.0005 8.74478 12.0913C8.52551 12.1822 8.33809 12.336 8.20624 12.5333ZM12.012 17.424C13.0771 17.4681 14.1246 17.1416 14.976 16.5V16.548C15.0075 16.5173 15.0327 16.4806 15.05 16.4402C15.0674 16.3997 15.0766 16.3563 15.0772 16.3122C15.0777 16.2682 15.0696 16.2245 15.0533 16.1837C15.0369 16.1428 15.0127 16.1055 14.982 16.074C14.9513 16.0425 14.9146 16.0173 14.8742 16C14.8337 15.9826 14.7903 15.9734 14.7462 15.9728C14.7022 15.9723 14.6585 15.9804 14.6177 15.9967C14.5768 16.0131 14.5395 16.0373 14.508 16.068C13.7797 16.5904 12.895 16.8487 12 16.8C11.1061 16.8399 10.2255 16.5732 9.504 16.044C9.44182 15.993 9.36289 15.9669 9.28256 15.9708C9.20222 15.9748 9.12622 16.0085 9.06935 16.0653C9.01247 16.1222 8.97879 16.1982 8.97484 16.2786C8.97089 16.3589 8.99697 16.4378 9.048 16.5C9.89937 17.1416 10.9469 17.4681 12.012 17.424ZM14.0933 14.2458C14.2907 14.3776 14.5227 14.448 14.76 14.448L14.748 14.496C14.9107 14.4978 15.0721 14.4664 15.2223 14.4038C15.3725 14.3413 15.5084 14.2488 15.6218 14.1321C15.7352 14.0154 15.8236 13.8768 15.8818 13.7248C15.9399 13.5728 15.9665 13.4106 15.96 13.248C15.96 13.0107 15.8896 12.7787 15.7578 12.5813C15.6259 12.384 15.4385 12.2302 15.2192 12.1393C14.9999 12.0485 14.7587 12.0248 14.5259 12.0711C14.2931 12.1174 14.0793 12.2316 13.9115 12.3995C13.7436 12.5673 13.6294 12.7811 13.5831 13.0139C13.5368 13.2467 13.5605 13.4879 13.6513 13.7072C13.7422 13.9265 13.896 14.1139 14.0933 14.2458Z" fill="currentColor"></path></svg><span>Reddit</span></a></div></div></article></main><footer class="mt-auto text-xs md:text-sm"><div class="container py-6 flex flex-col md:flex-row gap-2 md:gap-0 justify-between items-center"><div class="text-zinc-300"><nav><ul class="flex space-x-4"><li><a class="hover:text-white font-medium" href="/security-labs/sitemap.xml">Sitemap</a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://elastic.co?utm_source=elastic-search-labs&utm_medium=referral&utm_campaign=search-labs&utm_content=footer"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="inline-block w-3 h-3"><path stroke-linecap="round" stroke-linejoin="round" d="M13.5 6H5.25A2.25 2.25 0 003 8.25v10.5A2.25 2.25 0 005.25 21h10.5A2.25 2.25 0 0018 18.75V10.5m-10.5 6L21 3m0 0h-5.25M21 3v5.25"></path></svg><span>Elastic.co</span></a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://twitter.com/elasticseclabs"><svg class="w-4 h-4 inline-block w-3 h-3" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>@elasticseclabs</span></a></li></ul></nav></div><div class="flex flex-col space-y-1 text-zinc-300"><p>© <!-- -->2024<!-- -->. Elasticsearch B.V. All Rights Reserved.</p></div></div></footer></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"article":{"title":"Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two","slug":"dissecting-remcos-rat-part-two","date":"2024-04-30","description":"In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2.","image":"Security Labs Images 21.jpg","subtitle":"Part two: Diving into REMCOS recording capabilities, launch, and C2 communication","tags":["malware-analysis","remcos"],"body":{"raw":"\nIn the [previous article](https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one) in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we’ll cover the second half of its execution flow and you’ll learn more about REMCOS recording capabilities and communication with its C2.\n\n## Starting watchdog\n\nIf the ```enable_watchdog_flag``` (index ```0x32```) is enabled, the REMCOS will activate its watchdog feature.\n\n\n\n\nThis feature involves the malware launching a new process, injecting itself into it, and monitoring the main process. The goal of the watchdog is to restart the main process in case it gets terminated. The main process can also restart the watchdog if it gets terminated.\n\n\n\n\n\nThe target binary for watchdog injection is selected from a hardcoded list, choosing the first binary for which the process creation and injection are successful:\n\n - ```svchost.exe```\n - ```rmclient.exe```\n - ```fsutil.exe```\n\n\n\n\nIn this example, the watchdog process is ```svchost.exe```.\n\n\n\n\nThe registry value ```HKCU/SOFTWARE/{MUTEX}/WD``` is created before starting the watchdog process and contains the main process PID.\n\n\n\n\nOnce REMCOS is running in the watchdog process, it takes a \"special\" execution path by verifying if the ```WD``` value exists in the malware registry key. If it does, the value is deleted, and the monitoring procedure function is invoked.\n \n\n\nIt is worth noting that the watchdog process has a special mutex to differentiate it from the main process mutex. This mutex string is derived from the configuration (index ```0xE```) and appended with ```-W```.\n\n\n\n\n\n\n\nWhen the main process is terminated, the watchdog detects it and restarts it using the ```ShellExecuteW``` API with the path to the malware binary retrieved from the ```HKCU/SOFTWARE/{mutex}/exepath``` registry key\n\n\n\n\n## Starting recording threads\n\n### Keylogging thread\n\nThe offline keylogger has two modes of operation:\n\n 1. Keylog everything\n 2. Enable keylogging when specific windows are in the foreground\n\nWhen the ```keylogger_mode``` (index ```0xF```) field is set to 1 or 2 in the configuration, REMCOS activates its \"Offline Keylogger\" capability.\n\n\n\n\nKeylogging is accomplished using the ```SetWindowsHookExA``` API with the ```WH_KEYBOARD_LL``` constant.\n\n\n\n\nThe file where the keylogging data is stored is built using the following configuration fields:\n\n - ```keylogger_root_directory``` (index ```0x31```)\n - ```keylogger_parent_directory``` (index ```0x10```)\n - ```keylogger_filename``` (index ```0x11```)\n\nThe keylogger file path is ```{keylogger_root_directory}/{keylogger_parent_directory}/{keylogger_filename}```. In this case, it will be ```%APPDATA%/keylogger.dat```.\n\n\n\n\n\n\n\nThe keylogger file can be encrypted by enabling the ```enable_keylogger_file_encryption_flag``` (index ```0x12```) flag in the configuration. It will be encrypted using the RC4 algorithm and the configuration key.\n\n\n\n\nThe file can also be made super hidden by enabling the ```enable_keylogger_file_hiding_flag``` (index ```0x13```) flag in the configuration.\n\nWhen using the second keylogging mode, you need to set the ```keylogger_specific_window_names``` (index ```0x2A```) field with strings that will be searched in the current foreground window title every 5 seconds.\n\n\n\n\nUpon a match, keylogging begins. Subsequently, the current foreground window is checked every second to stop the keylogger if the title no longer contains the specified strings.\n\n\n\n\n### Screen recording threads\n\nWhen the ```enable_screenshot_flag``` (index ```0x14```) is enabled in the configuration, REMCOS will activate its screen recording capability.\n\n\n\n\nTo take a screenshot, REMCOS utilizes the ```CreateCompatibleBitmap``` and the ```BitBlt``` Windows APIs. If the ```enable_screenshot_mouse_drawing_flag``` (index ```0x35```) flag is enabled, the mouse is also drawn on the bitmap using the ```GetCursorInfo```, ```GetIconInfo```, and the ```DrawIcon``` API.\n\n\n\n\n\n\n\nThe path to the folder where the screenshots are stored is constructed using the following configuration:\n - ```screenshot_parent_directory``` (index ```0x19```)\n - ```screenshot_folder``` (index ```0x1A```)\n\nThe final path is ```{screenshot_parent_directory}/{screenshot_folder}```.\n\nREMCOS utilizes the ```screenshot_interval_in_minutes``` (index ```0x15```) field to capture a screenshot every X minutes and save it to disk using the following format string: ```time_%04i%02i%02i_%02i%02i%02i```.\n\n\n\n\nSimilarly to keylogging data, when the ```enable_screenshot_encryption_flag``` (index ```0x1B```) is enabled, the screenshots are saved encrypted using the RC4 encryption algorithm and the configuration key.\n\nAt the top, REMCOS has a similar \"specific window\" feature for its screen recording as its keylogging capability. When the ```enable_screenshot_specific_window_names_flag``` (index ```0x16```) is set, a second screen recording thread is initiated.\n\n\n\n\n\nThis time, it utilizes the ```screenshot_specific_window_names``` (index ```0x17```) list of strings to capture a screenshot when the foreground window title contains one of the specified strings. Screenshots are taken every X seconds, as specified by the ```screenshot_specific_window_names_interval_in_seconds``` (index ```0x18```) field.\n\nIn this case, the screenshots are saved on the disk using a different format string: ```wnd_%04i%02i%02i_%02i%02i%02i```. Below is an example using [\"notepad\"] as the list of specific window names and setting the Notepad process window in the foreground.\n\n\n\n\n### Audio recording thread\n\nWhen the ```enable_audio_recording_flag``` (index ```0x23```) is enabled, REMCOS initiates its audio recording capability.\n\n\n\n\nThe recording is conducted using the Windows ```Wave*``` API. The duration of the recording is specified in minutes by the ```audio_recording_duration_in_minutes``` (```0x24```) configuration field.\n\n\n\n\nAfter recording for X minutes, the recording file is saved, and a new recording begins. REMCOS uses the following configuration fields to construct the recording folder path:\n\n - ```audio_record_parent_directory``` (index ```0x25```)\n - ```audio_record_folder``` (index ```0x26```)\n\nThe final path is ```{audio_record_parent_directory}/{audio_record_folder}```. In this case, it will be ```C:\\MicRecords```. Recordings are saved to disk using the following format: ```%Y-%m-%d %H.%M.wav```.\n\n\n\n\n## Communication with the C2\n\nAfter initialization, REMCOS initiates communication with its C2. It attempts to connect to each domain in its ```c2_list``` (index ```0x0```) until one responds.\n\nAccording to previous research, communication can be encrypted using TLS if enabled for a specific C2. In such cases, the TLS engine will utilize the ```tls_raw_certificate``` (index ```0x36```), ```tls_key``` (index ```0x37```), and ```tls_raw_peer_certificate``` (index ```0x38```) configuration fields to establish the TLS tunnel.\n\nIt's important to note that in this scenario, only one peer certificate can be provided for multiple TLS-enabled C2 domains. As a result, it may be possible to identify other C2s using the same certificate.\n\nOnce connected we received our first packet:\n\n\n\n\nAs [described in depth by Fortinet](https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing), the protocol hasn't changed, and all packets follow the same structure:\n\n - (orange)```magic_number```: ```\\x24\\x04\\xff\\x00```\n - (red)```data_size```: ```\\x40\\x03\\x00\\x00```\n - (green)```command_id``` (number): ```\\0x4b\\x00\\x00\\x00```\n - (blue)data fields separated by ```|\\x1e\\x1e\\1f|```\n\nAfter receiving the first packet from the malware, we can send our own command using the following functions.\n\n```Python\nMAGIC = 0xFF0424\nSEPARATOR = b\"\\x1e\\x1e\\x1f|\"\n\n\ndef build_command_packet(command_id: int, command_data: bytes) -\u003e bytes:\n\treturn build_packet(command_id.to_bytes(4, byteorder=\"little\") + command_data)\n\n\ndef build_packet(data: bytes) -\u003e bytes:\n\tpacket = MAGIC.to_bytes(4, byteorder=\"little\")\n\tpacket += len(data).to_bytes(4, byteorder=\"little\")\n\tpacket += data\n\treturn packet\n```\n\nHere we are going to change the title of a Notepad window using the command 0x94, passing as parameters its window handle (329064) and the text of our choice.\n\n```Python\ndef main() -\u003e None:\n\tserver_0 = nclib.TCPServer((\"192.168.204.1\", 8080))\n\n\tfor client in server_0:\n \tprint(client.recv_all(5))\n\n \tclient.send(build_command_packet(\n \t\t\t0x94,\n \t\t\tb\"329064\" + SEPARATOR + \"AM_I_A_JOKE_TO_YOU?\".encode(\"utf-16-le\")))\n```\n\n\n\n\nThat’s the end of the second article. The third part will cover REMCOS' configuration and its C2 commands.","code":"var Component=(()=\u003e{var l=Object.create;var c=Object.defineProperty;var g=Object.getOwnPropertyDescriptor;var p=Object.getOwnPropertyNames;var m=Object.getPrototypeOf,w=Object.prototype.hasOwnProperty;var f=(n,e)=\u003e()=\u003e(e||n((e={exports:{}}).exports,e),e.exports),u=(n,e)=\u003e{for(var t in e)c(n,t,{get:e[t],enumerable:!0})},o=(n,e,t,s)=\u003e{if(e\u0026\u0026typeof e==\"object\"||typeof e==\"function\")for(let r of p(e))!w.call(n,r)\u0026\u0026r!==t\u0026\u0026c(n,r,{get:()=\u003ee[r],enumerable:!(s=g(e,r))||s.enumerable});return n};var x=(n,e,t)=\u003e(t=n!=null?l(m(n)):{},o(e||!n||!n.__esModule?c(t,\"default\",{value:n,enumerable:!0}):t,n)),_=n=\u003eo(c({},\"__esModule\",{value:!0}),n);var a=f((S,d)=\u003e{d.exports=_jsx_runtime});var v={};u(v,{default:()=\u003ek,frontmatter:()=\u003ey});var i=x(a()),y={title:\"Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Two\",slug:\"dissecting-remcos-rat-part-two\",date:\"2024-04-30\",subtitle:\"Part two: Diving into REMCOS recording capabilities, launch, and C2 communication\",description:\"In the previous article in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we\\u2019ll cover the second half of its execution flow and you\\u2019ll learn more about REMCOS recording capabilities and communication with its C2.\",author:[{slug:\"cyril-francois\"},{slug:\"samir-bousseaden\"}],image:\"Security Labs Images 21.jpg\",category:[{slug:\"malware-analysis\"}],tags:[\"malware-analysis\",\"remcos\"]};function h(n){let e=Object.assign({p:\"p\",a:\"a\",h2:\"h2\",code:\"code\",img:\"img\",ul:\"ul\",li:\"li\",h3:\"h3\",ol:\"ol\",pre:\"pre\"},n.components);return(0,i.jsxs)(i.Fragment,{children:[(0,i.jsxs)(e.p,{children:[\"In the \",(0,i.jsx)(e.a,{href:\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one\",rel:\"nofollow\",children:\"previous article\"}),\" in this series on the REMCOS implant, we shared information about execution, persistence, and defense evasion mechanisms. Continuing this series we\\u2019ll cover the second half of its execution flow and you\\u2019ll learn more about REMCOS recording capabilities and communication with its C2.\"]}),`\n`,(0,i.jsx)(e.h2,{id:\"starting-watchdog\",children:\"Starting watchdog\"}),`\n`,(0,i.jsxs)(e.p,{children:[\"If the \",(0,i.jsx)(e.code,{children:\"enable_watchdog_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x32\"}),\") is enabled, the REMCOS will activate its watchdog feature.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image68.png\",alt:\"0x40F24F Starting watchdog feature if enabled in the configuration\",width:\"553\",height:\"46\"})}),`\n`,(0,i.jsx)(e.p,{children:\"This feature involves the malware launching a new process, injecting itself into it, and monitoring the main process. The goal of the watchdog is to restart the main process in case it gets terminated. The main process can also restart the watchdog if it gets terminated.\"}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image49.png\",alt:\"Console message indicating activation of watchdog module\",width:\"580\",height:\"337\"})}),`\n`,(0,i.jsx)(e.p,{children:\"The target binary for watchdog injection is selected from a hardcoded list, choosing the first binary for which the process creation and injection are successful:\"}),`\n`,(0,i.jsxs)(e.ul,{children:[`\n`,(0,i.jsx)(e.li,{children:(0,i.jsx)(e.code,{children:\"svchost.exe\"})}),`\n`,(0,i.jsx)(e.li,{children:(0,i.jsx)(e.code,{children:\"rmclient.exe\"})}),`\n`,(0,i.jsx)(e.li,{children:(0,i.jsx)(e.code,{children:\"fsutil.exe\"})}),`\n`]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image32.png\",alt:\"0x4122C5 Watchdog target process selection\",width:\"476\",height:\"111\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"In this example, the watchdog process is \",(0,i.jsx)(e.code,{children:\"svchost.exe\"}),\".\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image3.png\",alt:\"svchost.exe watchdog process\",width:\"184\",height:\"107\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"The registry value \",(0,i.jsx)(e.code,{children:\"HKCU/SOFTWARE/{MUTEX}/WD\"}),\" is created before starting the watchdog process and contains the main process PID.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image31.png\",alt:\"The main process PID is saved in the WD registry key\",width:\"512\",height:\"358\"})}),`\n`,(0,i.jsxs)(e.p,{children:['Once REMCOS is running in the watchdog process, it takes a \"special\" execution path by verifying if the ',(0,i.jsx)(e.code,{children:\"WD\"}),\" value exists in the malware registry key. If it does, the value is deleted, and the monitoring procedure function is invoked.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image63.png\",alt:\"0x40EB54 Watchdog execution path when WD registry value exists\",width:\"756\",height:\"288\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"It is worth noting that the watchdog process has a special mutex to differentiate it from the main process mutex. This mutex string is derived from the configuration (index \",(0,i.jsx)(e.code,{children:\"0xE\"}),\") and appended with \",(0,i.jsx)(e.code,{children:\"-W\"}),\".\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image92.png\",alt:\"Mutex field in the configuration\",width:\"411\",height:\"39\"})}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image64.png\",alt:\"Comparison between main process and watchdog process mutexes\",width:\"993\",height:\"360\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"When the main process is terminated, the watchdog detects it and restarts it using the \",(0,i.jsx)(e.code,{children:\"ShellExecuteW\"}),\" API with the path to the malware binary retrieved from the \",(0,i.jsx)(e.code,{children:\"HKCU/SOFTWARE/{mutex}/exepath\"}),\" registry key\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image30.png\",alt:\"Console message indicating process restart by watchdog\",width:\"520\",height:\"324\"})}),`\n`,(0,i.jsx)(e.h2,{id:\"starting-recording-threads\",children:\"Starting recording threads\"}),`\n`,(0,i.jsx)(e.h3,{id:\"keylogging-thread\",children:\"Keylogging thread\"}),`\n`,(0,i.jsx)(e.p,{children:\"The offline keylogger has two modes of operation:\"}),`\n`,(0,i.jsxs)(e.ol,{children:[`\n`,(0,i.jsx)(e.li,{children:\"Keylog everything\"}),`\n`,(0,i.jsx)(e.li,{children:\"Enable keylogging when specific windows are in the foreground\"}),`\n`]}),`\n`,(0,i.jsxs)(e.p,{children:[\"When the \",(0,i.jsx)(e.code,{children:\"keylogger_mode\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0xF\"}),') field is set to 1 or 2 in the configuration, REMCOS activates its \"Offline Keylogger\" capability.']}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image62.png\",alt:\"\",width:\"373\",height:\"57\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"Keylogging is accomplished using the \",(0,i.jsx)(e.code,{children:\"SetWindowsHookExA\"}),\" API with the \",(0,i.jsx)(e.code,{children:\"WH_KEYBOARD_LL\"}),\" constant.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image23.png\",alt:\"0x40A2B8 REMCOS setting up keyboard event hook using SetWindowsHookExA\",width:\"831\",height:\"249\"})}),`\n`,(0,i.jsx)(e.p,{children:\"The file where the keylogging data is stored is built using the following configuration fields:\"}),`\n`,(0,i.jsxs)(e.ul,{children:[`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"keylogger_root_directory\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x31\"}),\")\"]}),`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"keylogger_parent_directory\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x10\"}),\")\"]}),`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"keylogger_filename\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x11\"}),\")\"]}),`\n`]}),`\n`,(0,i.jsxs)(e.p,{children:[\"The keylogger file path is \",(0,i.jsx)(e.code,{children:\"{keylogger_root_directory}/{keylogger_parent_directory}/{keylogger_filename}\"}),\". In this case, it will be \",(0,i.jsx)(e.code,{children:\"%APPDATA%/keylogger.dat\"}),\".\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image8.png\",alt:\"Keylogging data file keylogger.dat\",width:\"531\",height:\"311\"})}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image94.png\",alt:\"Keylogging data content\",width:\"659\",height:\"309\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"The keylogger file can be encrypted by enabling the \",(0,i.jsx)(e.code,{children:\"enable_keylogger_file_encryption_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x12\"}),\") flag in the configuration. It will be encrypted using the RC4 algorithm and the configuration key.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image51.png\",alt:\"0x40A7FC Decrypting, appending, and re-encrypting the keylogging data file\",width:\"720\",height:\"471\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"The file can also be made super hidden by enabling the \",(0,i.jsx)(e.code,{children:\"enable_keylogger_file_hiding_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x13\"}),\") flag in the configuration.\"]}),`\n`,(0,i.jsxs)(e.p,{children:[\"When using the second keylogging mode, you need to set the \",(0,i.jsx)(e.code,{children:\"keylogger_specific_window_names\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x2A\"}),\") field with strings that will be searched in the current foreground window title every 5 seconds.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image84.png\",alt:\"0x40A109 Keylogging mode choice\",width:\"683\",height:\"335\"})}),`\n`,(0,i.jsx)(e.p,{children:\"Upon a match, keylogging begins. Subsequently, the current foreground window is checked every second to stop the keylogger if the title no longer contains the specified strings.\"}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image79.png\",alt:\"Monitoring foreground window for keylogging activation\",width:\"782\",height:\"426\"})}),`\n`,(0,i.jsx)(e.h3,{id:\"screen-recording-threads\",children:\"Screen recording threads\"}),`\n`,(0,i.jsxs)(e.p,{children:[\"When the \",(0,i.jsx)(e.code,{children:\"enable_screenshot_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x14\"}),\") is enabled in the configuration, REMCOS will activate its screen recording capability.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image81.png\",alt:\"0x40F0B3 Starting screen recording capability when enabled in configuration\",width:\"819\",height:\"390\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"To take a screenshot, REMCOS utilizes the \",(0,i.jsx)(e.code,{children:\"CreateCompatibleBitmap\"}),\" and the \",(0,i.jsx)(e.code,{children:\"BitBlt\"}),\" Windows APIs. If the \",(0,i.jsx)(e.code,{children:\"enable_screenshot_mouse_drawing_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x35\"}),\") flag is enabled, the mouse is also drawn on the bitmap using the \",(0,i.jsx)(e.code,{children:\"GetCursorInfo\"}),\", \",(0,i.jsx)(e.code,{children:\"GetIconInfo\"}),\", and the \",(0,i.jsx)(e.code,{children:\"DrawIcon\"}),\" API.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image6.png\",alt:\"0x418E76 Taking screenshot 1/2\",width:\"463\",height:\"28\"})}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image82.png\",alt:\"0x418E76 Taking screenshot 2/2\",width:\"828\",height:\"306\"})}),`\n`,(0,i.jsx)(e.p,{children:\"The path to the folder where the screenshots are stored is constructed using the following configuration:\"}),`\n`,(0,i.jsxs)(e.ul,{children:[`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"screenshot_parent_directory\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x19\"}),\")\"]}),`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"screenshot_folder\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x1A\"}),\")\"]}),`\n`]}),`\n`,(0,i.jsxs)(e.p,{children:[\"The final path is \",(0,i.jsx)(e.code,{children:\"{screenshot_parent_directory}/{screenshot_folder}\"}),\".\"]}),`\n`,(0,i.jsxs)(e.p,{children:[\"REMCOS utilizes the \",(0,i.jsx)(e.code,{children:\"screenshot_interval_in_minutes\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x15\"}),\") field to capture a screenshot every X minutes and save it to disk using the following format string: \",(0,i.jsx)(e.code,{children:\"time_%04i%02i%02i_%02i%02i%02i\"}),\".\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image45.png\",alt:\"Location where screenshots are saved\",width:\"308\",height:\"149\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"Similarly to keylogging data, when the \",(0,i.jsx)(e.code,{children:\"enable_screenshot_encryption_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x1B\"}),\") is enabled, the screenshots are saved encrypted using the RC4 encryption algorithm and the configuration key.\"]}),`\n`,(0,i.jsxs)(e.p,{children:['At the top, REMCOS has a similar \"specific window\" feature for its screen recording as its keylogging capability. When the ',(0,i.jsx)(e.code,{children:\"enable_screenshot_specific_window_names_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x16\"}),\") is set, a second screen recording thread is initiated.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image20.png\",alt:\"0x40F108 Starting specific window screen recording capability when enabled in configuration\",width:\"668\",height:\"413\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"This time, it utilizes the \",(0,i.jsx)(e.code,{children:\"screenshot_specific_window_names\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x17\"}),\") list of strings to capture a screenshot when the foreground window title contains one of the specified strings. Screenshots are taken every X seconds, as specified by the \",(0,i.jsx)(e.code,{children:\"screenshot_specific_window_names_interval_in_seconds\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x18\"}),\") field.\"]}),`\n`,(0,i.jsxs)(e.p,{children:[\"In this case, the screenshots are saved on the disk using a different format string: \",(0,i.jsx)(e.code,{children:\"wnd_%04i%02i%02i_%02i%02i%02i\"}),'. Below is an example using [\"notepad\"] as the list of specific window names and setting the Notepad process window in the foreground.']}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image89.png\",alt:\"Screenshot triggered when Notepad window is in the foreground\",width:\"657\",height:\"312\"})}),`\n`,(0,i.jsx)(e.h3,{id:\"audio-recording-thread\",children:\"Audio recording thread\"}),`\n`,(0,i.jsxs)(e.p,{children:[\"When the \",(0,i.jsx)(e.code,{children:\"enable_audio_recording_flag\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x23\"}),\") is enabled, REMCOS initiates its audio recording capability.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image24.png\",alt:\"0x40F159 Starting audio recording capability when enabled in configuration\",width:\"868\",height:\"199\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"The recording is conducted using the Windows \",(0,i.jsx)(e.code,{children:\"Wave*\"}),\" API. The duration of the recording is specified in minutes by the \",(0,i.jsx)(e.code,{children:\"audio_recording_duration_in_minutes\"}),\" (\",(0,i.jsx)(e.code,{children:\"0x24\"}),\") configuration field.\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image2.png\",alt:\"0x401BE9 Initialization of audio recording\",width:\"822\",height:\"260\"})}),`\n`,(0,i.jsx)(e.p,{children:\"After recording for X minutes, the recording file is saved, and a new recording begins. REMCOS uses the following configuration fields to construct the recording folder path:\"}),`\n`,(0,i.jsxs)(e.ul,{children:[`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"audio_record_parent_directory\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x25\"}),\")\"]}),`\n`,(0,i.jsxs)(e.li,{children:[(0,i.jsx)(e.code,{children:\"audio_record_folder\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x26\"}),\")\"]}),`\n`]}),`\n`,(0,i.jsxs)(e.p,{children:[\"The final path is \",(0,i.jsx)(e.code,{children:\"{audio_record_parent_directory}/{audio_record_folder}\"}),\". In this case, it will be \",(0,i.jsx)(e.code,{children:\"C:\\\\MicRecords\"}),\". Recordings are saved to disk using the following format: \",(0,i.jsx)(e.code,{children:\"%Y-%m-%d %H.%M.wav\"}),\".\"]}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image33.png\",alt:\"Audio recording folder\",width:\"279\",height:\"152\"})}),`\n`,(0,i.jsx)(e.h2,{id:\"communication-with-the-c2\",children:\"Communication with the C2\"}),`\n`,(0,i.jsxs)(e.p,{children:[\"After initialization, REMCOS initiates communication with its C2. It attempts to connect to each domain in its \",(0,i.jsx)(e.code,{children:\"c2_list\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x0\"}),\") until one responds.\"]}),`\n`,(0,i.jsxs)(e.p,{children:[\"According to previous research, communication can be encrypted using TLS if enabled for a specific C2. In such cases, the TLS engine will utilize the \",(0,i.jsx)(e.code,{children:\"tls_raw_certificate\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x36\"}),\"), \",(0,i.jsx)(e.code,{children:\"tls_key\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x37\"}),\"), and \",(0,i.jsx)(e.code,{children:\"tls_raw_peer_certificate\"}),\" (index \",(0,i.jsx)(e.code,{children:\"0x38\"}),\") configuration fields to establish the TLS tunnel.\"]}),`\n`,(0,i.jsx)(e.p,{children:\"It's important to note that in this scenario, only one peer certificate can be provided for multiple TLS-enabled C2 domains. As a result, it may be possible to identify other C2s using the same certificate.\"}),`\n`,(0,i.jsx)(e.p,{children:\"Once connected we received our first packet:\"}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image80.png\",alt:\"Hello packet from REMCOS\",width:\"608\",height:\"54\"})}),`\n`,(0,i.jsxs)(e.p,{children:[\"As \",(0,i.jsx)(e.a,{href:\"https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\",rel:\"nofollow\",children:\"described in depth by Fortinet\"}),\", the protocol hasn't changed, and all packets follow the same structure:\"]}),`\n`,(0,i.jsxs)(e.ul,{children:[`\n`,(0,i.jsxs)(e.li,{children:[\"(orange)\",(0,i.jsx)(e.code,{children:\"magic_number\"}),\": \",(0,i.jsx)(e.code,{children:\"\\\\x24\\\\x04\\\\xff\\\\x00\"})]}),`\n`,(0,i.jsxs)(e.li,{children:[\"(red)\",(0,i.jsx)(e.code,{children:\"data_size\"}),\": \",(0,i.jsx)(e.code,{children:\"\\\\x40\\\\x03\\\\x00\\\\x00\"})]}),`\n`,(0,i.jsxs)(e.li,{children:[\"(green)\",(0,i.jsx)(e.code,{children:\"command_id\"}),\" (number): \",(0,i.jsx)(e.code,{children:\"\\\\0x4b\\\\x00\\\\x00\\\\x00\"})]}),`\n`,(0,i.jsxs)(e.li,{children:[\"(blue)data fields separated by \",(0,i.jsx)(e.code,{children:\"|\\\\x1e\\\\x1e\\\\1f|\"})]}),`\n`]}),`\n`,(0,i.jsx)(e.p,{children:\"After receiving the first packet from the malware, we can send our own command using the following functions.\"}),`\n`,(0,i.jsx)(e.pre,{children:(0,i.jsx)(e.code,{className:\"language-Python\",children:`MAGIC = 0xFF0424\nSEPARATOR = b\"\\\\x1e\\\\x1e\\\\x1f|\"\n\n\ndef build_command_packet(command_id: int, command_data: bytes) -\u003e bytes:\n\treturn build_packet(command_id.to_bytes(4, byteorder=\"little\") + command_data)\n\n\ndef build_packet(data: bytes) -\u003e bytes:\n\tpacket = MAGIC.to_bytes(4, byteorder=\"little\")\n\tpacket += len(data).to_bytes(4, byteorder=\"little\")\n\tpacket += data\n\treturn packet\n`})}),`\n`,(0,i.jsx)(e.p,{children:\"Here we are going to change the title of a Notepad window using the command 0x94, passing as parameters its window handle (329064) and the text of our choice.\"}),`\n`,(0,i.jsx)(e.pre,{children:(0,i.jsx)(e.code,{className:\"language-Python\",children:`def main() -\u003e None:\n\tserver_0 = nclib.TCPServer((\"192.168.204.1\", 8080))\n\n\tfor client in server_0:\n \tprint(client.recv_all(5))\n\n \tclient.send(build_command_packet(\n \t\t\t0x94,\n \t\t\tb\"329064\" + SEPARATOR + \"AM_I_A_JOKE_TO_YOU?\".encode(\"utf-16-le\")))\n`})}),`\n`,(0,i.jsx)(e.p,{children:(0,i.jsx)(e.img,{src:\"/assets/images/dissecting-remcos-rat-part-two/image1.png\",alt:\"REMCOS executed the command, changing the Notepad window text\",width:\"659\",height:\"429\"})}),`\n`,(0,i.jsx)(e.p,{children:\"That\\u2019s the end of the second article. The third part will cover REMCOS' configuration and its C2 commands.\"})]})}function b(n={}){let{wrapper:e}=n.components||{};return e?(0,i.jsx)(e,Object.assign({},n,{children:(0,i.jsx)(h,n)})):h(n)}var k=b;return _(v);})();\n;return Component;"},"_id":"articles/dissecting-remcos-rat-part-two.mdx","_raw":{"sourceFilePath":"articles/dissecting-remcos-rat-part-two.mdx","sourceFileName":"dissecting-remcos-rat-part-two.mdx","sourceFileDir":"articles","contentType":"mdx","flattenedPath":"articles/dissecting-remcos-rat-part-two"},"type":"Article","imageUrl":"/assets/images/dissecting-remcos-rat-part-two/Security Labs Images 21.jpg","readingTime":"8 min read","series":"","url":"/dissecting-remcos-rat-part-two","headings":[{"level":2,"title":"Starting watchdog","href":"#starting-watchdog"},{"level":2,"title":"Starting recording threads","href":"#starting-recording-threads"},{"level":3,"title":"Keylogging thread","href":"#keylogging-thread"},{"level":3,"title":"Screen recording threads","href":"#screen-recording-threads"},{"level":3,"title":"Audio recording thread","href":"#audio-recording-thread"},{"level":2,"title":"Communication with the C2","href":"#communication-with-the-c2"}],"author":[{"title":"Cyril François","slug":"cyril-francois","description":"Elastic Security Labs Team Senior Research Engineer, Malware","body":{"raw":"","code":"var Component=(()=\u003e{var m=Object.create;var i=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var g=Object.getPrototypeOf,_=Object.prototype.hasOwnProperty;var d=(t,e)=\u003e()=\u003e(e||t((e={exports:{}}).exports,e),e.exports),j=(t,e)=\u003e{for(var n in e)i(t,n,{get:e[n],enumerable:!0})},s=(t,e,n,o)=\u003e{if(e\u0026\u0026typeof e==\"object\"||typeof e==\"function\")for(let a of f(e))!_.call(t,a)\u0026\u0026a!==n\u0026\u0026i(t,a,{get:()=\u003ee[a],enumerable:!(o=x(e,a))||o.enumerable});return t};var p=(t,e,n)=\u003e(n=t!=null?m(g(t)):{},s(e||!t||!t.__esModule?i(n,\"default\",{value:t,enumerable:!0}):n,t)),y=t=\u003es(i({},\"__esModule\",{value:!0}),t);var u=d((w,c)=\u003e{c.exports=_jsx_runtime});var b={};j(b,{default:()=\u003eF,frontmatter:()=\u003eM});var r=p(u()),M={title:\"Cyril Fran\\xE7ois\",description:\"Elastic Security Labs Team Senior Research Engineer, Malware\",slug:\"cyril-francois\"};function l(t){return(0,r.jsx)(r.Fragment,{})}function C(t={}){let{wrapper:e}=t.components||{};return e?(0,r.jsx)(e,Object.assign({},t,{children:(0,r.jsx)(l,t)})):l(t)}var F=C;return y(b);})();\n;return Component;"},"_id":"authors/cyril-francois.mdx","_raw":{"sourceFilePath":"authors/cyril-francois.mdx","sourceFileName":"cyril-francois.mdx","sourceFileDir":"authors","contentType":"mdx","flattenedPath":"authors/cyril-francois"},"type":"Author","imageUrl":"","url":"/authors/cyril-francois"},{"title":"Samir Bousseaden","slug":"samir-bousseaden","body":{"raw":"","code":"var Component=(()=\u003e{var x=Object.create;var s=Object.defineProperty;var d=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var _=Object.getPrototypeOf,g=Object.prototype.hasOwnProperty;var j=(t,e)=\u003e()=\u003e(e||t((e={exports:{}}).exports,e),e.exports),l=(t,e)=\u003e{for(var n in e)s(t,n,{get:e[n],enumerable:!0})},u=(t,e,n,a)=\u003e{if(e\u0026\u0026typeof e==\"object\"||typeof e==\"function\")for(let o of f(e))!g.call(t,o)\u0026\u0026o!==n\u0026\u0026s(t,o,{get:()=\u003ee[o],enumerable:!(a=d(e,o))||a.enumerable});return t};var p=(t,e,n)=\u003e(n=t!=null?x(_(t)):{},u(e||!t||!t.__esModule?s(n,\"default\",{value:t,enumerable:!0}):n,t)),M=t=\u003eu(s({},\"__esModule\",{value:!0}),t);var m=j((h,i)=\u003e{i.exports=_jsx_runtime});var F={};l(F,{default:()=\u003eD,frontmatter:()=\u003eb});var r=p(m()),b={title:\"Samir Bousseaden\",slug:\"samir-bousseaden\"};function c(t){return(0,r.jsx)(r.Fragment,{})}function C(t={}){let{wrapper:e}=t.components||{};return e?(0,r.jsx)(e,Object.assign({},t,{children:(0,r.jsx)(c,t)})):c(t)}var D=C;return M(F);})();\n;return Component;"},"_id":"authors/samir-bousseaden.mdx","_raw":{"sourceFilePath":"authors/samir-bousseaden.mdx","sourceFileName":"samir-bousseaden.mdx","sourceFileDir":"authors","contentType":"mdx","flattenedPath":"authors/samir-bousseaden"},"type":"Author","imageUrl":"","url":"/authors/samir-bousseaden"}],"category":[{"title":"Malware analysis","slug":"malware-analysis","body":{"raw":"","code":"var Component=(()=\u003e{var u=Object.create;var s=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var _=Object.getPrototypeOf,g=Object.prototype.hasOwnProperty;var j=(t,n)=\u003e()=\u003e(n||t((n={exports:{}}).exports,n),n.exports),M=(t,n)=\u003e{for(var e in n)s(t,e,{get:n[e],enumerable:!0})},i=(t,n,e,o)=\u003e{if(n\u0026\u0026typeof n==\"object\"||typeof n==\"function\")for(let r of f(n))!g.call(t,r)\u0026\u0026r!==e\u0026\u0026s(t,r,{get:()=\u003en[r],enumerable:!(o=x(n,r))||o.enumerable});return t};var d=(t,n,e)=\u003e(e=t!=null?u(_(t)):{},i(n||!t||!t.__esModule?s(e,\"default\",{value:t,enumerable:!0}):e,t)),p=t=\u003ei(s({},\"__esModule\",{value:!0}),t);var l=j((X,c)=\u003e{c.exports=_jsx_runtime});var D={};M(D,{default:()=\u003eC,frontmatter:()=\u003ew});var a=d(l()),w={title:\"Malware analysis\",slug:\"malware-analysis\"};function m(t){return(0,a.jsx)(a.Fragment,{})}function y(t={}){let{wrapper:n}=t.components||{};return n?(0,a.jsx)(n,Object.assign({},t,{children:(0,a.jsx)(m,t)})):m(t)}var C=y;return p(D);})();\n;return Component;"},"_id":"categories/malware-analysis.mdx","_raw":{"sourceFilePath":"categories/malware-analysis.mdx","sourceFileName":"malware-analysis.mdx","sourceFileDir":"categories","contentType":"mdx","flattenedPath":"categories/malware-analysis"},"type":"Category","url":"/categories/malware-analysis"}]},"seriesArticles":null},"__N_SSG":true},"page":"/[slug]","query":{"slug":"dissecting-remcos-rat-part-two"},"buildId":"kahZ-cxorFKvHlgt0NoHQ","assetPrefix":"/security-labs","isFallback":false,"gsp":true,"scriptLoader":[]}</script></body></html>