Remcos

Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.

Type
Trojan
Origin
ex-USSR territory
First seen
1 June, 2016
Last seen
21 May, 2022
Global rank
9
Week rank
8
Month rank
9
IOCs
15821

What is Remcos trojan?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out almost every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos trojan

This trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program can remotely control PCs with any Windows OS, including XP and newer. It can also capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.

What’s more, it comes equipped with a crypto program that enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on its YouTube channel which demonstrates the analysis of how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns, and a DynDNS service with a client-server connection. With all additional services combined, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members that do not allow looking up company details online. Therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or the team behind Remcos. The domain name of the website itself is hosted on Cloudflare, and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Remcos malware analysis

Remcos RAT execution and analysis can be watched in-depth in a video recorded in the ANY.RUN malware hunting service. Moreover, you can also research other malicious families there such as AZORult and Adwind.

process graph of the Remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the Remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos trojan execution process

Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload, obfuscate the server component. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script ran command line and proceeded to drop an executable file from it. This file was the main payload, and it carried out the main malicious activities – stealing information, changing the autorun value in the registry, and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, the analysis proves that Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate the macros required for the execution of Ramcos to start.

Attackers who utilize this trojan are known to target specific organizations and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then begin the execution process. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%.

How to detect Remcos using ANY.RUN?

Since Remcos trojan creates log files without encryption, cybersecurity specialists can analyze it. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is just click on the logs.dat file. If you see strings like on the illustration below, you can be sure it Remcos.

remcos log file Figure 4: Remcos log file

Conclusion

Remcos RAT is a dangerous trojan available to attackers for a relatively low price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

IOCs

IP addresses
3.22.53.161
82.202.167.67
185.204.1.236
35.157.111.131
192.168.100.29
192.169.69.26
192.169.69.25
3.124.67.191
3.13.191.225
192.168.100.106
3.22.30.40
181.71.216.115
172.105.162.84
104.22.49.74
194.5.98.225
181.141.1.182
3.140.223.7
3.141.177.1
3.17.7.232
3.125.209.94
Hashes
36eae83dd16e98d3f62475ff48c33f731651e41ff52b0558b509d7a4d665e0b8
d2cb9cf69c0b679e2c702199e9057e70de4c2af88946aac495bcb49fb6ccc608
7d86068523fe035aec83fcb57be4edc0bdca3000fa6046fb66ef246b20e15601
b69f04883131047159a3f3f13a7943ffdf43c742bc2a8994f7ef1f1a42c16eee
7ae17db9aa6d38297397c2f165275107674c25bcf88dc90720ba87d37cb000c3
8f5fae18ffc61f2ecf76d797ea904341337c3bc7385fbe8e505cebd1ac813b90
17f5cb1dba8dd540465e9135d6541f2a7f871caee59c8afc63cf17e820c0f22f
e78093caa7022916c989d6d39c7087260f746a20a158ac03eea18e6ae420a61f
16bc7a5b3046f64260b9b5cb075d9397e35e9e553ff7b82ca0647ec8bf7a50e7
f710395880f835d08b965db304c00350be5824af2bbe7a55ba6ead607f7ff65d
d79a3905e74be12a90010d43149399e3217faa91354e0ce4ca083c600e295b38
2edb8331a555695ddee1e6e2172d95b0258f0c44973a2e3120bb8994479436ac
9cc65c17e826a8741fd42132b9f321894612c6ac092a647e7b4e0334a8550788
96b2da5b493ac29bb08e8045157cd8b2643dcfa4a937f7eced5a276b8f8a6b67
2682222836b5d284955176401e14dba7b8af056ee4db520c1fc51305c192da81
855fd0205697cb4b1268ee68cb940c17bedb0404ee75dbb4376e0c5e4597ce09
944bdf553996f0c0eda08038fb828f61acc5c559ef473a94f1c74099d1d94b95
d6e40d4e0a55dc248b8230c476afb617efc284f2ba76d4dcf7c279ae1c01ba4d
877fb569a9392300b7fe9f1c6a76cf31108841ec3c24c32922e4806fb636c2ef
1e5375b400f68c422804703390489b2cf3968c2a8bccb0b5b3c55fe1d2e3c991
Domains
googleapis2m.duckdns.org
googleapis2.duckdns.org
susur2334.duckdns.org
2.tcp.ngrok.io
WindowsAuthentication324-49629.portmap.host
booking.msg.bluhotels.com
booking.msg.bluhotels.com
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
7.tcp.eu.ngrok.io
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
majul.com
windowsuport.duckdns.org
dnstrafficexchange.duckdns.org
paoduenti.duckdns.org
windonwsxp.duckdns.org
riet.duckdns.org
winsupporting.duckdns.org
securitymsofficesystemsharingcloudfilein.duckdns.org
blogsdns.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More