Remcos

Remcos is a RAT type malware which means that attackers use it to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Type
Trojan
Origin
ex-USSR territory
First seen
1 June, 2016
Last seen
30 September, 2020
Global rank
11
Week rank
6
Month rank
8
IOCs
4439

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates through its lifetime. In fact, this malware is being maintained extremely actively with new releases coming out almost every month. In April 2019 the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This Trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program is able to remotely control PCs with any Windows OS including XP and newer. It can also capture screenshots and record keystrokes on infected machines.

What’s more, it comes equipped with a cryptor program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns and a DynDNS service. With all additional services connected, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members which do not allow to look up company details online, therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or about the team behind Remcos. The domain name of the website itself is hosted on Cloudflare and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Remcos malware analysis

Remcos RAT execution can be watched in-depth in a video recorded in the ANY.RUN malware hunting service.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. For instance, it can be spread as an executable file with the name that should convince users to open it or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script run command line and proceeded to drop an executable file from it. This file was the main payload and it carried out the main malicious activities - stealing information, changing the autorun value in the registry and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.

Attackers who utilize this Trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then being the execution process.

How to detect Remcos using ANY.RUN?

Since Remcos trojan creates log files without encryption analysts can take a look at it. Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the logs.dat file. If you see strings like on the illustration below you can be sure it Remcos.

remcos log file Figure 4: Remcos log file

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively inexpensive price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates that are being released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

IOCs

IP addresses
79.134.225.83
192.169.69.25
193.161.193.99
79.134.225.95
79.134.225.70
88.198.205.179
179.14.171.7
79.134.225.11
186.145.214.199
185.140.53.132
185.165.153.202
79.134.225.35
185.165.153.39
174.127.99.209
79.134.225.8
79.134.225.88
79.134.225.100
45.56.113.222
79.134.225.105
216.38.7.231
Hashes
6a469eaef0808331de8cc5bb191aedb3dbb8cbfc92b83477e9874833cfe6c2cc
3f812bb3bbe5d4f5b30932213915b7376c1c7a1fe8f1e4498ecb038ccfa8c8c2
12b4c7d9288c5ea1486360234b58bd81397b21a2530751a9f72c444f7e4d50c3
f9eaf63e454b2504d2950ecbf3aee5b03d7648b06fa5e3fd3514f5d645ecb453
c2eb1a447c417d2a4c2a26cd7cdb600ac85955f3ec01bf1c1d639c64b1cb099b
25907e3ebb351cb18abf8de0dff10635ab9c24c12277af5c35d970ec719acbfb
37a3e8940a9762e07d0050d9f6681f8bf6ec7dca2f1f631defe9f02ae062f416
f84aadb62b083158b54c6111ed0f54538bad8d1e40020fd25bb5598df3ba217e
6e34163cd6b0b7e96df38245c4c467719e95d15b449a429442483d6f33015a34
780c273c9ff5b3ca775ec8e869cfd696614baf9c00a994a5f915dbcd56066b4e
c59deafc65fadef68cc71d308c063f561d3270a9d5a8c611041b1317e658574d
c3b9b7745adc83ee9e070ac075a34a0c26b64e8c74f8c6c65194a3894195465c
e8718a58149c67bbeadb40a0b2f4da3f4a868934706a598188ef5e11434741fb
55ae94642005d6442eee70ecfb6827efb7e69362ff514d7670a504ec02f84881
f9cb747a2afcfcfac943ed21fe024fdcdd2f8773721d73ab66cc7c20b7de9628
53a38b4f67fcdc0325fc2ba9a9238b712214d0c846b3c04f3d75ecebb9a2de1c
f93e6b49aed6ccabce9b906ef6d1d67f9c0955a6d60a4148530d3c6a1c8b112c
4e62dcea72cf73481dd8dae2bbeb8e1352a5f2510f3deb98ec0b653a4d21f8d8
c0e3087d87c84776fe7ffca768a0793c02d28e34a821f0c9da32339af8e7e6a6
9539e88050231b3a908844a04bd8c61516d9d12fb593669eccd9301209355cdd
Domains
majul.com
incidencias6645.ddns.net
elx01.knas.systems
dnsduck4.duckdns.org
duckdns6.duckdns.org
zerofiletransferfromhosttopcfromtheinter.duckdns.org
systemverysecurefiletransferwithcloud.duckdns.org
www.yhdsd.duckdns.org
diegomendoza.duckdns.org
kinholima.duckdns.org
dominoduck2096.duckdns.org
pri0912.duckdns.org
peroteclave.duckdns.org
bitcoingglobalbusinessindustrypricegoodf.duckdns.org
workfineanotherrainstdybowlomoyent32mrw.duckdns.org
wwwmicrosoftwindowsfirewallsecuritydotco.duckdns.org
iphanyi.duckdns.org
larodrigues91.duckdns.org
sytemforinternationalfiletransferprotoco.duckdns.org
newrainfallfloodinghighongloballythsitim.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More