Remcos

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

  • Type
    Trojan
  • Origin
    ex-USSR territory
  • First seen
    1 June, 2016
  • Last seen
    22 November, 2019
Global rank
11
Week rank
14
Month rank
11
IOCs
1428

What is Remcos?

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. It has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos has been receiving substantial updates through its lifetime. In fact, this malware is being maintained extremely actively with new releases coming out almost every month. In April 2019 the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

General description of Remcos

This Trojan is created and sold to clients by a “business” called Breaking Security. Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos gives clients all necessary features to launch potentially destructive attacks. The malware can be purchased with different cryptocurrencies. The program is able to remotely control PCs with any Windows OS including XP and newer. It can also capture screenshots and record keystrokes on infected machines.

What’s more, Remcos comes equipped with a cryptor program which enables the malware to stay hidden from antivirus software. In fact, Breaking Security has released a video on their YouTube channel which demonstrates how multiple antiviruses fail to detect the presence of Remcos. In addition, Breaking Security provides attackers with a keylogger that can be used to remotely record keystrokes of the victim, a mass mailer program that can be used to carry out distribution campaigns and a DynDNS service. With all additional services connected, purchasers gain all they need to create their own functioning botnets.

The company responsible for selling Remcos RAT to the criminals is registered in Germany. Germany is the only country out of all European Union members which do not allow to look up company details online, therefore founders of Breaking Security are still not identified. The website itself does not provide any information about the company or about the team behind Remcos. The domain name of the website itself is hosted on Cloudflare and all information related to it is protected by the privacy policy of the hoster organization. Clearly, the people behind Breaking Security have taken a lot of effort to stay anonymous.

Remcos malware analysis

Remcos execution can be watched in-depth in a video recorded in the ANY.RUN malware hunting service.

process graph of the remcos execution Figure 1: Displays the lifecycle of Remcos as presented by a visual graph generated by ANY.RUN

text report 0f the remcos trojan analysis Figure 2: A customizable text report generated by ANY.RUN is a feature specifically developed to simplify the sharing of research results.

Remcos execution process

Remcos can be delivered in different forms. For instance, it can be spread as an executable file with the name that should convince users to open it or it pretends to be a Microsoft Word file which exploits vulnerabilities to download and execute the main payload. In our simulation, after Remcos made its way to infect the device and begin the execution process, it started VBS script execution. Script run command line and proceeded to drop an executable file from it. This file was the main payload and it carried out the main malicious activities - stealing information, changing the autorun value in the registry and connecting to the C2 server.

remcos execution process tree Figure 3: Execution processes of Remcos as displayed by the ANY.RUN malware analysis service

Distribution of Remcos

Although being distributed using multiple methods, being provided in a bundle with mass mailer software, Remcos usually gets into victims’ machines through malicious attachments in spam email campaigns. The attackers normally use phishing techniques to try and trick users into downloading file attachments, commonly – contaminated Microsoft Office files. Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.

Attackers who utilize this Trojan are known to target specific organization and sometimes go a long way to craft custom phishing emails designed to fool their victims. Corporations that are known to become targets of Remcos attacks include news agencies and businesses energy industry-related businesses.

If the victim does enable the macros, they reconstruct a small executable file which is then dropped to a pre-specified location and launched from there. Even though the location can vary from sample to sample, it usually includes one of the following locations, typical for malware creators: %APPDATA% and %TEMP%. This file then proceeds to download the main payload, which is Remcos itself, from a control server and then being the execution process.

How to detect Remcos using ANY.RUN?

Since Remcos creates log files without encryption analysts can take a look at it. Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the logs.dat file. If you see strings like on the illustration below you can be sure it Remcos.

remcos log file Figure 4: Remcos log file

Conclusion

Remcos is a dangerous trojan available to attackers for a relatively inexpensive price. Despite its accessibility, it comes equipped with enough robust features to allow attackers to set up their own effective botnets. What's more, it is modernized with updates that are being released nearly every month by the owner company. Accessibility and powerful feature set helped to make Ramcos into a powerful and dangerous trojan.

Thankfully, malware hunting services such as ANY.RUN gives professionals an equally robust feature set to research threats like Ramcos and respond with effective countermeasures.

IOCs

IP addresses
79.134.225.108
192.169.69.25
185.165.153.39
79.134.225.81
79.134.225.89
79.134.225.114
65.52.38.142
79.134.225.80
79.134.225.87
185.140.53.85
79.134.225.79
79.134.225.83
79.134.225.116
185.217.1.139
193.161.193.99
185.19.85.139
91.193.75.51
79.134.225.77
79.134.225.74
79.134.225.11
Hashes
c3d8af6eba93f85f539ee60dc2e5c9ff12355b696df984b8759fa9ab9e5800d3
2a9d6c429718cfd6b72ac6fb23b5cbd94e0d768cdb2834961495023fa13076b5
0f3d05b23b926af639b90f2900ea4ca8af5a440dc5e4da6bc6b39845dc082837
99539a0d1fc19466ad57ed21ff5a5e8e8cb81c282f02feeebf51a89d7cf9c868
2ba10ff7c7bbf9e6e261359fbddcb0d41dae9516057ea0c15b41471c2da2aae6
9221d062018b889e0f7fd490ce156fbe162484a3250aaa6ca3fc2bc0165906f1
f1d7ebeb6fa0b8bbbbe13beba78a67cf93be06d0ed4402586c7cf3f3171e2f83
b28f95b32875ff4ec24d00c09ab1cef082787b1a3d08ab6aa9ff30d7b0a8b031
14a8f4ff330d21f7f74f197074a0fe8f5635cbb22f776e12d54f765233d972db
82faf5fa9a93c8b7303b0ed496973672006f33fe7a1c4800caa26d661637a999
9284da1f7973f8358c4ba32d188783ebea9be106a3becb4c75cdc0f8d888a1c6
d891a27918f41af3ba7e8876add8a1e30c37bd1c09d8d0f27b0c47e541bef60b
1b337e284274a8086139ef418046eff4dfc1da1ebb2657ebd13fd307db840cbc
e21ead6d9b44a5aaa7416b1dc1fe68db86588074d37ef67555189da3609b1f71
3cd2bc9a98a4c2958ceac75ae75a59c6f0e687c287aa8595bdb512f9d7da9c14
3e64dfbec6d56ec381617379263335fa944bd16601e6ddbb155a5caa01922160
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
348a72d264d3af5e6ed79b79cf5e118733f0491be28a988e340d1c02f701a41c
01777d7096a31ebacd569a962a3857c3da87b7e50621edd4034acb40ad81261c
eff8c030f4467f957273783b01b3d6ce30501eee28252125d7055eb9441de4b3
Domains
majul.com
mstanley.ufcfan.org
ubananocore.ddns.net
mcmp.duckdns.org
fucktoto.duckdns.org
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
fratful.dynu.net
tartful.hopto.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org
codazzixtrem.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More