Tuesday, February 27, 2024

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

A remote access Trojan (RAT) is a malware program that incorporates a back door for administrative control over the objective PC.

RATs are normally downloaded invisibly with a client trusted program like games, Email attachments.

Remcos RAT was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, and recently Fortinet Security team identified this payload is distributed widely and the latest version is (v1.7.3).

Remcos right now being sold from $58 to $389, as per time frame and the maximum number of administrators or customers required.

Malware Execution with elevated privileges

Remcos RAT is being appropriated through malicious Microsoft Office documents passing by the filenames of Quotation.xls or Quotation.doc, which are most presumably connected to SPAM mails.

These malicious document macro are designed to bypass Microsoft Windows’ UAC security and execute malware with high privilege.

Commercial RAT Remcos Spotted in Live Attacks

To execute the downloaded malware with higher system permissions, it uses a well-known UAC-bypassmethod.

It endeavors to execute it under Microsoft’s Event Viewer (eventvwr.exe) by capturing a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it questions to discover the way of the Microsoft Management Console (mmc.exe).

The Event Viewer essentially executes whatever is in that way. Since the large scale’s shell command replaces the value from that registry section to the malware’s area, the malware is executed rather than the legitimate  mmc.exe.

Payload Binary’s

Remcos just incorporates UPX and MPRESS1 packers to pack and compress its server segment. In this sample, be that as it may, the attacker went further by including another layer of custom packer on top of MPRESS1.

Commercial RAT Remcos Spotted in Live Attacks

Remcos v.1.7.3 and its abilities 

Remcos Client has five main tabs with various particular capacities.  Although most of the parameters are disabled in the free form, we were able to simulate its client-server connection.

  • The Connections Tab is where all the active connections can be monitored.
  • Automatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other RATs.
  • The Local Settings tab consists of settings for the client side.
  • The Builder tab is where the parameters of the created server binary can be customized.

Builder tab sub sections

  • Connection – sets the client IP addresses and ports where the server connects to upon installation.
  • Installation – configures the installation path, autorun registries, and a watchdog module that prevents termination of the process and deletion of its files and registries.
  • Stealth – this section dictates whether the server should appear on the system’s tray icon.
  • Keylogger – this includes the usual limits for a basic keylogger function.
  • Surveillance – gives the server an option to take periodic screenshots of the system or when specific windows are active.
  • Build – gives the option to pack the server binary using UPX and MPRESS.
  • The Event Log displays connection logs with the server, along with some information about the client’s status (updates, ports, etc.)
  • The About tab has acknowledgements and some promotions on other product.
Commercial RAT Remcos Spotted in Live Attacks

Samples (SHA256)

fc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a – W32/Remcos.A!tr

8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81 – W32/Remcos.A!tr

8e6daf75060115895cbbfb228936a95d8fb70844db0f57fe4709007a11f4a6bb – WM/Agent.9BF1!tr.dldr

a58a64fce0467acbcaf7568988afc6d2362e81f67fc0befd031d3a6f3a8a4e30 – WM/Agent.9BF1!tr.dldr


Download URL: legacyrealestateadvisors[.]net/brats/remmy.exe


  • remcos2.legacyrealestateadvisors[.]net
  • remcos.legacyrealestateadvisors[.]net

Also Read:


Latest articles

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...

Scattered Spider: Advanced Techniques for Launching High-Profile Attacks

Scattered Spider is a threat group responsible for attacking several organizations since May 2022...

8220 Hacker Group Attacking Linux & Windows Users to Mine Crypto

In a significant escalation of cyber threats, the 8220 Gang, a notorious Chinese-based hacker group, has intensified its attacks...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles