Monday, May 26, 2025
HomeMalwareCommercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

Published on

SIEM as a Service

Follow Us on Google News

A remote access Trojan (RAT) is a malware program that incorporates a back door for administrative control over the objective PC.

RATs are normally downloaded invisibly with a client trusted program like games, Email attachments.

Remcos RAT was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, and recently Fortinet Security team identified this payload is distributed widely and the latest version is (v1.7.3).

Remcos right now being sold from $58 to $389, as per time frame and the maximum number of administrators or customers required.

- Advertisement - Google News

Malware Execution with elevated privileges

Remcos RAT is being appropriated through malicious Microsoft Office documents passing by the filenames of Quotation.xls or Quotation.doc, which are most presumably connected to SPAM mails.

These malicious document macro are designed to bypass Microsoft Windows’ UAC security and execute malware with high privilege.

Commercial RAT Remcos Spotted in Live Attacks

To execute the downloaded malware with higher system permissions, it uses a well-known UAC-bypassmethod.

It endeavors to execute it under Microsoft’s Event Viewer (eventvwr.exe) by capturing a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it questions to discover the way of the Microsoft Management Console (mmc.exe).

The Event Viewer essentially executes whatever is in that way. Since the large scale’s shell command replaces the value from that registry section to the malware’s area, the malware is executed rather than the legitimate  mmc.exe.

Payload Binary’s

Remcos just incorporates UPX and MPRESS1 packers to pack and compress its server segment. In this sample, be that as it may, the attacker went further by including another layer of custom packer on top of MPRESS1.

Commercial RAT Remcos Spotted in Live Attacks

Remcos v.1.7.3 and its abilities 

Remcos Client has five main tabs with various particular capacities.  Although most of the parameters are disabled in the free form, we were able to simulate its client-server connection.

  • The Connections Tab is where all the active connections can be monitored.
  • Automatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other RATs.
  • The Local Settings tab consists of settings for the client side.
  • The Builder tab is where the parameters of the created server binary can be customized.

Builder tab sub sections

  • Connection – sets the client IP addresses and ports where the server connects to upon installation.
  • Installation – configures the installation path, autorun registries, and a watchdog module that prevents termination of the process and deletion of its files and registries.
  • Stealth – this section dictates whether the server should appear on the system’s tray icon.
  • Keylogger – this includes the usual limits for a basic keylogger function.
  • Surveillance – gives the server an option to take periodic screenshots of the system or when specific windows are active.
  • Build – gives the option to pack the server binary using UPX and MPRESS.
  • The Event Log displays connection logs with the server, along with some information about the client’s status (updates, ports, etc.)
  • The About tab has acknowledgements and some promotions on other product.
Commercial RAT Remcos Spotted in Live Attacks

Samples (SHA256)

fc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a – W32/Remcos.A!tr

8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81 – W32/Remcos.A!tr

8e6daf75060115895cbbfb228936a95d8fb70844db0f57fe4709007a11f4a6bb – WM/Agent.9BF1!tr.dldr

a58a64fce0467acbcaf7568988afc6d2362e81f67fc0befd031d3a6f3a8a4e30 – WM/Agent.9BF1!tr.dldr

IOC

Download URL: legacyrealestateadvisors[.]net/brats/remmy.exe

Command&Control:

  • remcos2.legacyrealestateadvisors[.]net
  • remcos.legacyrealestateadvisors[.]net

Also Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This...

New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal...