Remcos

Remcos is a RAT type malware which means that attackers use it to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Type
Trojan
Origin
ex-USSR territory
First seen
1 June, 2016
Last seen
17 January, 2020
Global rank
11
Week rank
13
Month rank
13
IOCs
1566

What is Remcos?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates through its lifetime. In fact, this malware is being maintained extremely actively with new releases coming out almost every month. In April 2019 the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos

This Trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program is able to remotely control PCs with any Windows OS including XP and newer. It can also capture screenshots and record keystrokes on infected machines.

What’s more, Remcos comes equipped with a cryptor program which enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on their YouTube channel which demonstrates how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns and a DynDNS service. With all additional services connected, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members which do not allow to look up company details online, therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or about the team behind Remcos. The domain name of the website itself is hosted on Cloudflare and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Remcos malware analysis

Remcos execution can be watched in-depth in a video recorded in the ANY.RUN malware hunting service.

process graph of the remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos execution process

Remcos trojan can be delivered in different forms. For instance, it can be spread as an executable file with the name that should convince users to open it or it pretends to be a Microsoft Word file which exploits vulnerabilities to download and execute the main payload. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script run command line and proceeded to drop an executable file from it. This file was the main payload and it carried out the main malicious activities - stealing information, changing the autorun value in the registry and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, Remcos usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.

Attackers who utilize this Trojan are known to target specific organization and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then being the execution process.

How to detect Remcos using ANY.RUN?

Since Remcos trojan creates log files without encryption analysts can take a look at it. Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the logs.dat file. If you see strings like on the illustration below you can be sure it Remcos.

remcos log file Figure 4: Remcos log file

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively inexpensive price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates that are being released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

IOCs

IP addresses
192.169.69.25
194.5.99.51
79.134.225.120
213.202.216.218
194.5.99.206
79.134.225.74
79.134.225.29
193.161.193.99
79.134.225.90
79.134.225.98
79.134.225.70
185.244.30.12
79.134.225.105
185.140.53.50
79.134.225.109
79.134.225.77
79.134.225.89
49.51.133.72
88.198.205.179
79.134.225.99
Hashes
904b5683069f7cd1c8553744c286505f8e53d1b336a376ff7cc71689e6450090
8d62ead15bc49ba3bf5925a8e2b125e4e3beefaa098129e1a847763d8875c700
5d2abc6c49a7ef7e606b111d187cf3b863cf8255e0a94599d2eba8c6b26b6c3e
80b2c94ab1750a5fa4c58f46eee6be6a38ad7f688244c38562843090914edbcd
732dd2496ea307bd4baf5d928468d163667f379f36c0ebd1f79c7b75ee8bf608
96f00e5359f873299f59a5e89d8c2bf44a96b5e48fd183eb21fa35ab1617983d
cc3cfd0b70c735907f9c3d21d3aefe18267bd8e652a9d3e1c4e51863cfeee317
cdc17d01d1ad6ea7a25b66157146202221cb0fced1c3f774843c621ea99d5864
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
a2f4d7cb724a0ece453ca8153eb8228cd1d1bd6017e6875ae1f0aa07298483e1
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
6a6ed98743f01f721ca82cd8664acefe8614b0f8a8cfca4a481aec08a1e634cf
2bbf784ae2a6a6af1d9ce2007c94ce0a2a9095dae9622a6e36ddde2b0d1d5abe
f1f8906bdbdffe1be2f02db42adeb93dc23bac4dbaba91904fce2d3810223c5d
88a02967d6fa5c0eff65f71b9fae969b8125a20115c2d2ee21053832fdc2fc2b
162111056692d6507e98ef3ddc990c289671154cb8d573b3992bc1cb6ca5bf52
a2c0e27b7eaabff03f2728b2d26cfc4fb135d3731e7f2efae882d9f32cb65cdc
cb231f4677753528b25c1c1ebcdc73c39c32ed0fab9de8f53ca6a72f14f3a1fb
65f3f49d0909050569214c204e6aeaca391757dbaf34be03b217fdcda6e513c6
56740b0ddc6fbd801ec026045f72bd2a42b5445886dbc0c5b84e6b90d2af22df
Domains
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
vemvemserver.duckdns.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
bproduction.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org
codazzixtrem.duckdns.org
mrmarkangel.duckdns.org
anglekeys.duckdns.org
dephantomz.duckdns.org
wiskiriskis1982.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More