Remcos

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Type
Trojan
Origin
ex-USSR territory
First seen
1 June, 2016
Last seen
2 August, 2021
Global rank
9
Week rank
7
Month rank
8
IOCs
7545

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This Trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots and record keystrokes on infected machines.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service. With all additional services connected, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Remcos malware analysis

Remcos RAT execution can be watched in-depth in a video recorded in the ANY.RUN malware hunting service.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. For instance, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities - stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this Trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Since Remcos trojan creates log files without encryption, analysts can take a look at it. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is just click on the logs.dat file. If you see strings like on the illustration below, you can be sure it Remcos.

remcos log file Figure 4: Remcos log file

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

IOCs

IP addresses
3.134.39.220
185.244.30.76
192.169.69.26
3.131.147.49
3.22.15.135
3.138.180.119
79.134.225.77
52.14.18.129
3.138.45.170
3.141.177.1
3.22.53.161
193.161.193.99
194.5.98.3
3.136.65.236
3.134.125.175
79.134.225.44
3.142.129.56
82.202.167.229
185.204.1.236
3.14.182.203
Hashes
413d73ef75407d0fa7bc7dbfdf693e7de00b60d3d3d55b225234a2c0ea467c45
c0a92a6da42fcee96230ff476e66ff5f7c89c2bd958497e3effe44d2278d2a54
862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
2fc8a646ef6402e4fdd0a0b89d327aa1aa19688194d7433e641b9399e8333334
e7c137d7e34cdab921d4a1abd8fc0d47a8698056431b695f0fd1ec1b3af04280
f58314461cdeab9713e40ac21ee07825b11da594c7a05828b5cc2d23bab17409
f4a7a04c7007356b60fcabdc855bc763a553b15c0d3106d958a37354050f7b33
d015bf2888682eba40d1a566fca1a6e982afc2201b02667e36a6c0a7f5ac23b3
ba0cdca14594078543277aec9d397758a4b550de003644d63c82fc1c3c1db71b
963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60
f8d827cc35b207fc1b4999976a9e22b12174e82e977929238b632c50c8521777
00f4cfe0a4fca3b73f06174e208761f9703a2e707bfe657d20f6c527ef5d45ea
f58f8c61c6714ec5f790f0670d311f6996a244eaa4f5ae43984407428260a6f8
21f9efa2dc23445571bc45df18b359a12282e44af4f33fcdb5b2ced6df8b9db5
fcf18834ac1300232136e77aa0609c15cd70c728c927bb1b3cca330a0112b7f9
61496b1ca9a841752ca0214794c303b7b0a7fb5f5ddb8e26e730c2733fd1af1c
12a0e61c40e9664cd768c55b50d204e038067e9dfa34c04d0170426565eb2d2c
62b9382121f2c2a5db0cc9dfac4384a991f4652d4e241e8605644c60adaa1e32
d2344e95f3ac2babce42456613b46f4b348dbb09f84014675ea79feb7fc0d807
e69013a3a50ffb58b54a02e4317ad21da89fcadea6d92c0ba83fc1a10d0bb549
Domains
majul.com
WindowsAuthentication324-49629.portmap.host
isns.net
arttronova12.duckdns.org
elumadns.eluma101.com
4.tcp.ngrok.io
amechi.duckdns.org
mygodissogoodtome.ddns.net
volodymyr.gotdns.ch
blessingfollowme.myddns.me
ijomsdavis1.ddns.net
grafeulheart.ddns.net
888rats.duckdns.org
gratefulheart.ddns.net
prayersanswered.hopto.org
sandra.myddns.me
britianica.uk.com
ubananocore.ddns.net
bccd.duckdns.org
2.tcp.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More