REMCOS Remote Control & Surveillance Software
What Is Remcos? aka: RemcosRAT, Remvio, Socmer Actor(s): APT33, The Gorgon Group, UAC-0050 Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application…
What Is Remcos?
aka: RemcosRAT, Remvio, Socmer
Actor(s): APT33, The Gorgon Group, UAC-0050
Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application designed for network maintenance, system monitoring, surveillance, and penetration testing, but attackers use it to exploit target systems remotely. Although the vendor Breaking Security claims that Remcos is a legitimate security tool, it has been labeled as malware by CISA and included in its list of top malware strains of 2021.
Remcos’s malicious capabilities are nearly unlimited due to its robust feature set and ability to maintain persistent and high-privileged remote control of a victim’s system. It is commonly used to steal credentials, for man-in-the-middle (MiTM) internet connections, and to orchestrate zombie botnets that can launch synchronized distributed denial-of-service (DDoS) attacks. It was first released in 2016 and is sold for £58–389 ($66–439) depending on the number of included licenses and features.
How Remcos Works
Remcos is distributed via email phishing campaigns that attempt to trick targets into opening malicious Microsoft Office documents using social engineering tactics such as COVID-related spam. If a target opens the attached document and enables macros, Remcos’s stager can bypass Microsoft Windows’ User Account Control by hijacking the Windows Registry to execute the primary Remcos payload with high-level system privileges. To maintain persistent access to a compromised system, Remcos adds a Windows Registry AutoStart key to execute the malware once the infected system is restarted.
Remcos is a Windows-based application written in both C++ and Delphi. It is capable of multithreaded remote scripting for high-performance exploitation. It has multiple remote access options, such as command shell access, service manager interface, SOCKS5 remote proxy, and an easy-to-use administrator GUI.
Remcos uses a custom TCP-based protocol to establish encrypted connections and keepalive to maintain its command-and-control (C2) connection over unstable networks. These efficient and robust tools make Remcos the malware of choice for maintaining zombie botnets and proxying internet traffic on compromised hosts.
Indicators of Compromise (IOCs)
MD5 Hash | SHA256 Hash | IP Address | FQDN |
---|---|---|---|
ee4e163f38aca1399baa166ca87561d0 | 9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8 | 154.216.20.211 | method8888.ddns.net |
4ef3177a2e94ce3d15ae9490a73a2212 | 87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0 | 192.210.150.26 | users-lies.gl.at.ply.gg |
54eae6f327b102eedbb7c8b66b9d1088 | 6cc066c3a33644d8a54496de97374b7a8804b490f7d3ca66c62c1bc6cb695fa5 | 212.162.149.42 | |
47e850e82c0147b6710cbf479b3fb9f0 | 0169c5dfee0db5e9e9c4114d746e02afdafdd9e954be8faf35f6187a51ef95e6 | 194.169.175.190 | |
683afddffe9af5794fe2afef228b4130 | 8f16685b7be3285c76951473da6c1efd6bad219b62b224b0e181de8b77ee4e02 | 111.90.147.110 | |
328c9827047c43f6e44641a0fa9cfd8d | 63660df7602191c226278902e159312a16a1c844db329cca146fb702a2a51256 | 154.216.19.222 | |
faf6dfb4a22e2a154f6fd2e75842510e | c0e84339533d57155132b05645961f77ac54774773cb54c20e05a83b71b08ebd | 103.153.76.111 | |
dc4841967f9dd9a62b89897f45b20db4 | a1c60f9507dc54e7da3b9113d734f39912f15a94fc95effafe7a6e06991fc73d | 89.249.73.162 | |
a9c3b2b6d05c8df20283b030b2451b05 | 1175d11454e59a13ace9b3c7201dff041691361ac23cbabdf11150b895f955b7 | 213.183.58.19 | |
5c482e2f743f26a08c2c635a631f2710 | 44c60a89bb1a3de59c88bb8cd3e866ebd245d413c22fcbd0bf5d51bb5650d935 | 23.106.127.123 | |
1d7d581c29836ce75b6ed778cd7d944f | 9dead7adbdd7610c8c93dfa730b6392f97c28496ce8ef9386877f58cbb937c90 | ||
8108df04c2d0f00c5497c2fd4bcfa37e | 1aea19477e1d5ab9e33bbddbb58eff5b8ca7b4edfd4b90a9f0250eb2d321c79a | ||
eec80238fe54bdb6c626e2d398b2f000 | 868bda619235945ebdda6ff9d5a75e67451685ade942754e7a02de84d77b2c5e | ||
c631ec8af8f0f0619ef0cc6646548c69 | f90d383845316922d60a00f1dec1b8a742b635dc33eea546ede20b5baf93a85b | ||
88c5403f0e15b16a179f49937d3138a4 | 7720c3ae81a4608dce049fd16fe6175fc046e2e19d8d51167c1f5f89567cb8af | ||
811f4abf4f54216467d9df42a1dc1779 | 6a80e27b1beb4566c94dd99a48c88c3441405a05027c1ded1b020174ef7c6bf0 | ||
cc9266ce2040c3a296ecd43d3ace5f58 | 0e14f7af2c3b01c1c018a018d2232ea9c2e0853fba7ab924b4f160cef1485e42 | ||
b9e5541151bf86850dc8bd04239c1a7e | 2498074c53dd11560b4c576ba8deab7e51d3a5e5b227c95cc0264405776065a7 | ||
a511e09f384a7d4624058a2b008dbfb8 | 32a317da4e48e09ad4c10a5783364d16c8e2f04565c5bcddcfeba9ebdd993529 | ||
d0b9e457b2d16d654f95b599d86da4c0 | ea15b09762985bc16b997558583acb28d9fd9e86eb95b2df204956211ec541d7 | ||
986168d4c6742f3ebeda92509d37bde1 | e28927b322db99c02ce13138cfb401f5abe4bde548c9beafb852ca52d7a49217 | ||
f2f958782af0c7184cc029b10c7a02e5 | cf3f0a73535894870ed1266fcd6d5698326a5823d7d880ae987b848ee5119bc2 | ||
094a6bc451b4af000bad12b147bc9ab0 | 24d40d5cea4f3e5944fb9ed436eaf2e270538d00afc5f39033c278f752ecf527 | ||
6fc2a60f7c07a3e9bb17419298d482b8 | 6d35f545a2a015c4ee10983680eacb808eb81271a29d2c35b93c6d96047dd408 |
RELATED
RTM – Remote Monitoring & Management (RMM) Tools
Topic: Ransomware Tool Matrix Focus: Remote Monitoring & Management (RMM) Tools An RMM (Remote Monitoring and Management) tool is a…
How to Disable Windows CoPilot: A Step-by-Step Guide
Windows CoPilot is Microsoft’s latest AI-powered assistant, integrated directly into Windows 11. It’s designed to help users by providing personalized…
Start The New Year Off The Right Way
It’s our job at Barricade Cyber Solutions to make sure that your data is safe at all times – and…