Remcos

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Type
Trojan
Origin
ex-USSR territory
First seen
1 June, 2016
Last seen
26 January, 2023
Global rank
10
Week rank
4
Month rank
8
IOCs
17241

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Cybersecurity specialists can easily detect Remcos – the trojan writes its name into a registry. Look at registry events: click on the process and then on the More Info button. If the Registry changes tab has a key like "HKEY_CURRENT_USER\Software\Remcos-{digits_letters}", you can be sure it’s Remcos.

remcos log file Figure 4: Remcos registry changes

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

IOCs

IP addresses
79.134.225.46
194.147.140.32
79.134.225.95
194.5.97.229
185.191.229.101
194.147.140.24
163.123.143.143
194.147.140.27
79.134.225.94
185.140.53.160
194.34.132.153
194.147.140.4
104.244.74.228
79.134.225.8
91.192.100.53
79.134.225.30
194.147.140.7
185.65.135.178
179.13.11.228
185.140.53.130
Hashes
5fabd58b9f449d92146053acaa89a1ceb8290ce4a942adafba4cb9365f3f17ba
d9fa0a4d8690a5274e09cafb1a5ef1f5181f6d13a3ab62769e13697fbcd905ce
f00982603a693995cf32649df28ac390ce839638751f04d11517454466061785
a223dbd3e666c66e48d38bbc2e552a39bbfeb5f8b1663cdfa1d4a28543980c79
a6b6161746325c30a4aca63489e36db8f37fc9550aa00b62ee203f95c26a6f93
9a38991461288014473dd1d6de00238a69d14ff36bc5a555ac4d88479da1e0af
d1f85945fa3f402202ed31fc7322c3328676a1d609fc9c17ee3a3cb6a49aa5fb
760ad3946a031d671d1abbc58cdd86f5d9cac5c3e741522d03c20a3900aa639a
32c38d159ca596fc6f8696c7462299312a8b243dd4ea75086946494f5c5cd801
a3cedb6c3e80b271f79b7eb27e3848161e64429c4a902d7a2e1f2456f7e22f5c
b7973289619d7af3daab900a2e80847c378db7caee70e90ec8390b1c26ff419f
9ef247402ff781f7f8c5f01d6e611d2e2350e2a421530e1774d3cc4050637540
6657f32b062ee72c7fbc5be2b486461a0e9b89d8115c87545248381e5bb96a8b
94a4e5c7a3524175c0306c5748c719a940a7bfbe778c5a16627193a684fa10f0
1a28237c64f94fa3f340d1044903bc43daa2a09f4a6548072ff82c598b4e61ac
3544ecee116415e942e4e15b51dd6cf7903a30f8e329d24c608284058eb1a8f2
2cece4733ce3bbade861cedd40f8e00fe7028f7b2e5d7817cd8db2c889e2bb6b
9c310d0ad7402a777abccaa94793a31fd58ce867aa358ccb3020b383f8f4ea12
7bc48731d6206024b65d1b96d931ebcda37dd166352f2c0bb34ffc9fc73cd51d
42563778c6c5617faf2f120c8b4246d8d1350055cff2e4d562096e6ddeb4f97f
Domains
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
mkt.denodo.com
searchkn1.sima-land.ru
2.tcp.eu.ngrok.io
c16d-35-240-187-111.ngrok.io
isns.net
us-api.mimecast.com
bushremcos.duckdns.org
todspm3.duckdns.org
otravez.duckdns.org
ebubelag.warzonedns.com
microsoftoutlook.duckdns.org
ximenadominconip.con-ip.com
frederikkempe.com
majul.com
4.tcp.eu.ngrok.io
www.secure-id6793-chase.com
WindowsAuthentication324-49629.portmap.host

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy