Thursday, May 8, 2025
HomeMalwareCommercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

Published on

SIEM as a Service

Follow Us on Google News

A remote access Trojan (RAT) is a malware program that incorporates a back door for administrative control over the objective PC.

RATs are normally downloaded invisibly with a client trusted program like games, Email attachments.

Remcos RAT was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, and recently Fortinet Security team identified this payload is distributed widely and the latest version is (v1.7.3).

Remcos right now being sold from $58 to $389, as per time frame and the maximum number of administrators or customers required.

- Advertisement - Google News

Malware Execution with elevated privileges

Remcos RAT is being appropriated through malicious Microsoft Office documents passing by the filenames of Quotation.xls or Quotation.doc, which are most presumably connected to SPAM mails.

These malicious document macro are designed to bypass Microsoft Windows’ UAC security and execute malware with high privilege.

Commercial RAT Remcos Spotted in Live Attacks

To execute the downloaded malware with higher system permissions, it uses a well-known UAC-bypassmethod.

It endeavors to execute it under Microsoft’s Event Viewer (eventvwr.exe) by capturing a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it questions to discover the way of the Microsoft Management Console (mmc.exe).

The Event Viewer essentially executes whatever is in that way. Since the large scale’s shell command replaces the value from that registry section to the malware’s area, the malware is executed rather than the legitimate  mmc.exe.

Payload Binary’s

Remcos just incorporates UPX and MPRESS1 packers to pack and compress its server segment. In this sample, be that as it may, the attacker went further by including another layer of custom packer on top of MPRESS1.

Commercial RAT Remcos Spotted in Live Attacks

Remcos v.1.7.3 and its abilities 

Remcos Client has five main tabs with various particular capacities.  Although most of the parameters are disabled in the free form, we were able to simulate its client-server connection.

  • The Connections Tab is where all the active connections can be monitored.
  • Automatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other RATs.
  • The Local Settings tab consists of settings for the client side.
  • The Builder tab is where the parameters of the created server binary can be customized.

Builder tab sub sections

  • Connection – sets the client IP addresses and ports where the server connects to upon installation.
  • Installation – configures the installation path, autorun registries, and a watchdog module that prevents termination of the process and deletion of its files and registries.
  • Stealth – this section dictates whether the server should appear on the system’s tray icon.
  • Keylogger – this includes the usual limits for a basic keylogger function.
  • Surveillance – gives the server an option to take periodic screenshots of the system or when specific windows are active.
  • Build – gives the option to pack the server binary using UPX and MPRESS.
  • The Event Log displays connection logs with the server, along with some information about the client’s status (updates, ports, etc.)
  • The About tab has acknowledgements and some promotions on other product.
Commercial RAT Remcos Spotted in Live Attacks

Samples (SHA256)

fc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a – W32/Remcos.A!tr

8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81 – W32/Remcos.A!tr

8e6daf75060115895cbbfb228936a95d8fb70844db0f57fe4709007a11f4a6bb – WM/Agent.9BF1!tr.dldr

a58a64fce0467acbcaf7568988afc6d2362e81f67fc0befd031d3a6f3a8a4e30 – WM/Agent.9BF1!tr.dldr

IOC

Download URL: legacyrealestateadvisors[.]net/brats/remmy.exe

Command&Control:

  • remcos2.legacyrealestateadvisors[.]net
  • remcos.legacyrealestateadvisors[.]net

Also Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated new malware dubbed LOSTKEYS,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...