,

REMCOS Remote Control & Surveillance Software

What Is Remcos? aka: RemcosRAT, Remvio, Socmer Actor(s): APT33, The Gorgon Group, UAC-0050 Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application…

August 21, 2024|Eric Taylor
remcos-a-new-rat-in-the-wild-2

What Is Remcos?

aka: RemcosRAT, Remvio, Socmer
Actor(s): APT33, The Gorgon Group, UAC-0050

Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application designed for network maintenance, system monitoring, surveillance, and penetration testing, but attackers use it to exploit target systems remotely. Although the vendor Breaking Security claims that Remcos is a legitimate security tool, it has been labeled as malware by CISA and included in its list of top malware strains of 2021.

2024-08-21 07_51_34-Window

Remcos’s malicious capabilities are nearly unlimited due to its robust feature set and ability to maintain persistent and high-privileged remote control of a victim’s system. It is commonly used to steal credentials, for man-in-the-middle (MiTM) internet connections, and to orchestrate zombie botnets that can launch synchronized distributed denial-of-service (DDoS) attacks. It was first released in 2016 and is sold for £58–389 ($66–439) depending on the number of included licenses and features.

2024-08-21 07_50_22-Window

How Remcos Works

Remcos is distributed via email phishing campaigns that attempt to trick targets into opening malicious Microsoft Office documents using social engineering tactics such as COVID-related spam. If a target opens the attached document and enables macros, Remcos’s stager can bypass Microsoft Windows’ User Account Control by hijacking the Windows Registry to execute the primary Remcos payload with high-level system privileges. To maintain persistent access to a compromised system, Remcos adds a Windows Registry AutoStart key to execute the malware once the infected system is restarted.

Remcos is a Windows-based application written in both C++ and Delphi. It is capable of multithreaded remote scripting for high-performance exploitation. It has multiple remote access options, such as command shell access, service manager interface, SOCKS5 remote proxy, and an easy-to-use administrator GUI.

Remcos uses a custom TCP-based protocol to establish encrypted connections and keepalive to maintain its command-and-control (C2) connection over unstable networks. These efficient and robust tools make Remcos the malware of choice for maintaining zombie botnets and proxying internet traffic on compromised hosts.

Indicators of Compromise (IOCs)

 

 

MD5 Hash SHA256 Hash IP Address FQDN
ee4e163f38aca1399baa166ca87561d09e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8154.216.20.211method8888.ddns.net
4ef3177a2e94ce3d15ae9490a73a221287353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0192.210.150.26users-lies.gl.at.ply.gg
54eae6f327b102eedbb7c8b66b9d10886cc066c3a33644d8a54496de97374b7a8804b490f7d3ca66c62c1bc6cb695fa5212.162.149.42
47e850e82c0147b6710cbf479b3fb9f00169c5dfee0db5e9e9c4114d746e02afdafdd9e954be8faf35f6187a51ef95e6194.169.175.190
683afddffe9af5794fe2afef228b41308f16685b7be3285c76951473da6c1efd6bad219b62b224b0e181de8b77ee4e02111.90.147.110
328c9827047c43f6e44641a0fa9cfd8d63660df7602191c226278902e159312a16a1c844db329cca146fb702a2a51256154.216.19.222
faf6dfb4a22e2a154f6fd2e75842510ec0e84339533d57155132b05645961f77ac54774773cb54c20e05a83b71b08ebd103.153.76.111
dc4841967f9dd9a62b89897f45b20db4a1c60f9507dc54e7da3b9113d734f39912f15a94fc95effafe7a6e06991fc73d89.249.73.162
a9c3b2b6d05c8df20283b030b2451b051175d11454e59a13ace9b3c7201dff041691361ac23cbabdf11150b895f955b7213.183.58.19
5c482e2f743f26a08c2c635a631f271044c60a89bb1a3de59c88bb8cd3e866ebd245d413c22fcbd0bf5d51bb5650d93523.106.127.123
1d7d581c29836ce75b6ed778cd7d944f9dead7adbdd7610c8c93dfa730b6392f97c28496ce8ef9386877f58cbb937c90
8108df04c2d0f00c5497c2fd4bcfa37e1aea19477e1d5ab9e33bbddbb58eff5b8ca7b4edfd4b90a9f0250eb2d321c79a
eec80238fe54bdb6c626e2d398b2f000868bda619235945ebdda6ff9d5a75e67451685ade942754e7a02de84d77b2c5e
c631ec8af8f0f0619ef0cc6646548c69f90d383845316922d60a00f1dec1b8a742b635dc33eea546ede20b5baf93a85b
88c5403f0e15b16a179f49937d3138a47720c3ae81a4608dce049fd16fe6175fc046e2e19d8d51167c1f5f89567cb8af
811f4abf4f54216467d9df42a1dc17796a80e27b1beb4566c94dd99a48c88c3441405a05027c1ded1b020174ef7c6bf0
cc9266ce2040c3a296ecd43d3ace5f580e14f7af2c3b01c1c018a018d2232ea9c2e0853fba7ab924b4f160cef1485e42
b9e5541151bf86850dc8bd04239c1a7e2498074c53dd11560b4c576ba8deab7e51d3a5e5b227c95cc0264405776065a7
a511e09f384a7d4624058a2b008dbfb832a317da4e48e09ad4c10a5783364d16c8e2f04565c5bcddcfeba9ebdd993529
d0b9e457b2d16d654f95b599d86da4c0ea15b09762985bc16b997558583acb28d9fd9e86eb95b2df204956211ec541d7
986168d4c6742f3ebeda92509d37bde1e28927b322db99c02ce13138cfb401f5abe4bde548c9beafb852ca52d7a49217
f2f958782af0c7184cc029b10c7a02e5cf3f0a73535894870ed1266fcd6d5698326a5823d7d880ae987b848ee5119bc2
094a6bc451b4af000bad12b147bc9ab024d40d5cea4f3e5944fb9ed436eaf2e270538d00afc5f39033c278f752ecf527
6fc2a60f7c07a3e9bb17419298d482b86d35f545a2a015c4ee10983680eacb808eb81271a29d2c35b93c6d96047dd408

RELATED

Executive Summary – Continued Attacks on USA Law Firms

By Eric Taylor | January 16, 2025

Executive Summary A cybercriminal operating under the alias CeFarir0ne has put up for sale unauthorized Remote Desktop Protocol (RDP) access to an…

Executive Summary – Shadow Syndicate

By Eric Taylor | January 15, 2025
,

Executive Summary In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate,…

BianLian Data Extortion Group – Updated Advisory

By Eric Taylor | November 21, 2024

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber…