What is Remcos?
Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.
Remcos has been receiving substantial updates through its lifetime. In fact, this malware is being maintained extremely actively with new releases coming out almost every month. In April 2019 the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.
General description of Remcos
This Trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program is able to remotely control PCs with any Windows OS including XP and newer. It can also capture screenshots and record keystrokes on infected machines.
What’s more, Remcos comes equipped with a cryptor program which enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on their YouTube channel which demonstrates how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns and a DynDNS service. With all additional services connected, purchasers gain all they need to create their own functioning botnets.
Remcos malware analysis
Remcos execution can be watched in-depth in a video recorded in the ANY.RUN malware hunting service.
Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN
Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.
Remcos execution process
Remcos can be delivered in different forms. For instance, it can be spread as an executable file with the name that should convince users to open it or it pretends to be a Microsoft Word file which exploits vulnerabilities to download and execute the main payload. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script run command line and proceeded to drop an executable file from it. This file was the main payload and it carried out the main malicious activities - stealing information, changing the autorun value in the registry and connecting to the C2 server.
Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service
Distribution of Remcos
Although being distributed using multiple methods, being provided in a bundle with mass mailer software, Remcos usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.
Attackers who utilize this Trojan are known to target specific organization and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.
If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then being the execution process.
How to detect Remcos using ANY.RUN?
Since Remcos creates log files without encryption analysts can take a look at it. Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the logs.dat file. If you see strings like on the illustration below you can be sure it Remcos.
Figure 4: Remcos log file
Remcos is a dangerous trojan available to attackers for a relatively inexpensive price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates that are being released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.
Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.