Remcos Config - Using RC4 to Get Command & Control from CyberChef

hey youtube cybercdh here hope you're doing really good today's video is all about remcos we're going to take a super quick look at a remcos infection chain it's pretty convoluted but pretty straightforward to analyze but really what i want to do is show you a cool trick that you can use to super quickly extract the key indicator of compromise from rem cost which is the network indicator of the bad guy who's going to receive all of your stolen data we've got lots to get through so let's dive right into this one okay so we start live in the vba window here and so we'll just fly through the macro code and all of the infection chain because really what i want to concentrate on in this video is how to extract the config of rem cost itself and get you the c2 of the bad guy that's going to be receiving all of the stolen and harvested data from the endpoint but just to give you a kind of flavor for the infection chain we'll just quickly go through what kind of attack scenario that you will see so here's the vba window here all of the macros what i tend to do is strip them out and just tidy it up a little bit in sublime text i find it a little bit easier to read and so we've got workbook activate and that's obviously going to execute when the macros are activated and so we can see that the output of textbox1. txt is going to be stored in this variable which gets fed into a routine here this our girl routine there's a couple of things that go on here firstly there's a call to get object and the get object the input to that is the output from this shd function defined down here and we can see that takes a big long string and reverses it using this function this private function here this http jcimvnc that all of this code looks pretty meaty but actually it's just a string reverser so if we take this string put it into cyber chef we can simply reverse it and we get this string here at the bottom and if we do a quick google we can see that this equates to a com object so you can see this class id here for the com object for wsh which is the windows script host and so that enables the dot run instruction as part of the windows script host and it will run the powershell that we'll just see in a minute so go back here we can see we want to find out what it's going to run on the host which is going to be sheets 1 and it's going to execute the contents of textbox1. txt a couple of ways here you can see i've disarmed the malware by commenting out this code set the value of textbox1. txt to visible because it's hidden on the actual worksheet and also we can debug. print that as well this is what it looks like in the debug. print window we can see it's reversed we can see the actual text box that's hidden with all of this weird and wonderful encoded data that looks like binary so let's strip it out i'm going to use cyber chef for that we'll just use the string reverse routine in cyber chef so we get all of the decoded content we want to just strip out the binary stuff of interest we'll just take it from binary comma delimiter and we just tied it up a little bit and we can see we get a nice bit of powershell and we get ourselves a nice little c2 indicator as well which is just going to download content from this remote location invoke it from the app data folder as notepads. js so we can see here is we hit that c2 here is the data and it's all more encoded binary stuff but a little bit of tidying up to do copy all of that stuff out into sublime text as well again there's the weird encoded binary stuff that we just need to tidy up and it just gives a little bit of persistence and a few other little bits and bobs that go on in the actual code nothing too interesting about this though but what we want to do is strip out all of that binary stuff very simple like we did before but we just want to replace the carrot symbol with the 1 which is what the code tells us to do that gives us the binary we can then just take it from binary do the tiding up and again it gives us a little bit more code to read in this case it's powershell again and it just does a ping to google and then it tries to bypass amsi logging so powershell and then pulls content from a remote location again in this particular case it's attack. jpg and then it splits it on the percent symbol and then it's going to execute that it's going to invoke expression iex at the end so here is the content of that remote location we need to split this on the percent symbol we can do that again in cyber chef so just feed it split on percent and we take it from its hexadecimal character code and we can see we get yet more powershell put this into supply of text again to make it a bit more readable you can see at the top here we get a variable is sd4 sd triple zero is set to these character codes and what you'll find something worth remembering 73 69 88 that equates to the string iex which is invoke expression for powershell and we can see here there's a set alias for iex and so anytime you see y0 df5 called that's actually going to be an alias for iex and we can see that down here we get something that's piped to iex using that particular alias so a few things that stick out at me we've got some weird variables which i look like they're just we have some string replacement going on so super easy to decode all that kind of stuff but the ones i'm really interested in is this weird string here and also so this w x b string and this mvla string and so the wb xb1 starts with 4d5a so we can see that this is probably some kind of executable

content and then the nvla string well we've got a little bit of work to do to find out what this is all about but this will actually it turn out to be the rem cost binary that we're interested in we can see something at the bottom as well we can see a call to waves we don't know what waves is just yet but we can see there's a call to a particular method here this y78hj routine takes two parameters notepad. exe and mvla2 is the output of mvla which is our weird string we don't know what it is just yet which goes through this routine which basically converts it all from hexadecimal once it's been tidied up of these string replacements so flown through that obviously but it is super simple to go through and work your way through when you do that i'm going to strip out the first one first so this is the 4d5a particular string stick this into cyber chef do the simple find and replace on the chevron app replace that with zero we get ourselves a nice executable content we can pop that into windows we can see the first thing here it's written in c-sharp in net so we can use something like dnspy to reverse engineer this it's a dll and also we get the compiler timestamps as well which is super nice so secondly what we want to do is just double check here right so we've got this waves routine it's going to get past mvla2 and pass it notepad as well to this particular location well what is that all about we really want to focus on this mvla parameter and what is this big long crazy string well we can see if we go into the dll so the one that we've just written this 4d5a if we go into the dll and we can find the routine of interest here this y78 it takes a string rt it takes the byte buffer ffdf whatever but it decompresses it so we know that big long weird and wonderful string that gets passed to it is decompressed with gzip and so that's what we need to replicate ourselves we can do that using cyber chef just pump it into cyber chef do the simple find and replace there take it from hex and then j unzip it and we get again the executable content which is remcos stick this into p studio you can see it's visual c plus so we can't use dn spy we can see this is pretty recently compiled and if you run strings on this particular binary there we go we can see that it is in fact rem cost it gives it away it doesn't really hide itself and it's super easy to analyze this in a debugger as well but what we're interested in now is dumping the config from renklos because remcos is a remote access tool it can keystroke it can compromise data on the underlying system but it's going to pipe that back to the bad guys over the internet and really what we want to do is find out if we can quickly and easily grab what that c2 location would be so we know who the bad guy is without actually running the code and there's a trick that you can use to actually dump this config out super easily which is what i'm going to show you next okay so now we've got the rem cost binary itself we can stick this in a debugger we can poke around it till the heart's consent no problem it is pretty straightforward to analyze but what we really want to do is extract the key indicator of compromise which is the network indicator the c2 of the bad guy that's going to receive all of our stolen data well you'll notice that in pe studio i really like the fact that it draws your attention using colors here we can see that in the resources we've got something that is unknown we have a resource with the name of settings and it's fairly substantial in size and so what we want to do is actually dump this out and poke around it this is the encrypted config of remcos itself so what we can do is just dump raw we can save this and we'll just save it as res. bin in our downloads folder here i'm going to open this up in a text editor and we can see what is going on well is just a bunch of encrypted content load of gobbledygook doesn't make any sense to us this is rc4 encoded if you looked in the binary itself you'd be able to see that there is an rc4 decoding routine that this goes through it's fairly straightforward to pick up and analyze but one thing to note about rc4 firstly is the code needs to know what the key is in order to decrypt it the actual key itself is not hard coded in the binary it's hard coded in this data and that's the little trick that we need to know but how long the key is so it could be a few bytes it could be many bytes and in this particular case the code needs to know the same thing as well and the way that it does that it looks at the first byte for the key length so the first byte in this config is the actual length of the key so this is c1 bytes long which is obviously hexadecimal for 193. so it's 193 bytes long in this particular key and so what we need to do is take c1 so we've got c1 as the length so the next 193 bytes which is going to be about there we go so we can see the length in the bottom here says c1 so it matches that first byte that is the key the rc4 passphrase of the rest of the content to decrypt it so what we can do is just control and see that we're going to stick this into cyber chef we'll use a passphrase here change this to hexadecimal input i'm also going to change the input format of the byte so we're going to feed it as hexadecimal as well and what we can do there get rid of all of this because that is just stuff to do with the key copy the rest of the data stick this into cyber chef and now we can see there you go is the decrypted content of the config itself and the first thing in that config

is the c2 that's going to receive all of the stolen data in this case it's server. kill whenever you swan. xyz port 1168 and you can see some other artifacts as well so that is how you dump the config from remcos decode it and no matter what the length of the key is you'll always be able to find what the key is by using the first byte as the length of the key taking the next lot of bytes whatever that length may be using that as the input to rc4 as the key and then the rest of the code will be decrypted nice and easily for you without any hassle whatsoever super easy to do hopefully that's of use to you okay thanks very much for checking out this video youtube i really do appreciate your questions your comments your likes as well if you do like the video please give it the thumbs up if you want to see more content please subscribe also you can check me out on twitter as well at cybercdh i look forward to seeing you there take it easy keep well until next time