REMCOS Remote Control & Surveillance Software
What Is Remcos? aka: RemcosRAT, Remvio, Socmer Actor(s): APT33, The Gorgon Group, UAC-0050 Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application…
What Is Remcos?
aka: RemcosRAT, Remvio, Socmer
Actor(s): APT33, The Gorgon Group, UAC-0050
Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application designed for network maintenance, system monitoring, surveillance, and penetration testing, but attackers use it to exploit target systems remotely. Although the vendor Breaking Security claims that Remcos is a legitimate security tool, it has been labeled as malware by CISA and included in its list of top malware strains of 2021.
Remcos’s malicious capabilities are nearly unlimited due to its robust feature set and ability to maintain persistent and high-privileged remote control of a victim’s system. It is commonly used to steal credentials, for man-in-the-middle (MiTM) internet connections, and to orchestrate zombie botnets that can launch synchronized distributed denial-of-service (DDoS) attacks. It was first released in 2016 and is sold for £58–389 ($66–439) depending on the number of included licenses and features.
How Remcos Works
Remcos is distributed via email phishing campaigns that attempt to trick targets into opening malicious Microsoft Office documents using social engineering tactics such as COVID-related spam. If a target opens the attached document and enables macros, Remcos’s stager can bypass Microsoft Windows’ User Account Control by hijacking the Windows Registry to execute the primary Remcos payload with high-level system privileges. To maintain persistent access to a compromised system, Remcos adds a Windows Registry AutoStart key to execute the malware once the infected system is restarted.
Remcos is a Windows-based application written in both C++ and Delphi. It is capable of multithreaded remote scripting for high-performance exploitation. It has multiple remote access options, such as command shell access, service manager interface, SOCKS5 remote proxy, and an easy-to-use administrator GUI.
Remcos uses a custom TCP-based protocol to establish encrypted connections and keepalive to maintain its command-and-control (C2) connection over unstable networks. These efficient and robust tools make Remcos the malware of choice for maintaining zombie botnets and proxying internet traffic on compromised hosts.
Indicators of Compromise (IOCs)
MD5 Hash | SHA256 Hash | IP Address | FQDN |
---|---|---|---|
ee4e163f38aca1399baa166ca87561d0 | 9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8 | 154.216.20.211 | method8888.ddns.net |
4ef3177a2e94ce3d15ae9490a73a2212 | 87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0 | 192.210.150.26 | users-lies.gl.at.ply.gg |
54eae6f327b102eedbb7c8b66b9d1088 | 6cc066c3a33644d8a54496de97374b7a8804b490f7d3ca66c62c1bc6cb695fa5 | 212.162.149.42 | |
47e850e82c0147b6710cbf479b3fb9f0 | 0169c5dfee0db5e9e9c4114d746e02afdafdd9e954be8faf35f6187a51ef95e6 | 194.169.175.190 | |
683afddffe9af5794fe2afef228b4130 | 8f16685b7be3285c76951473da6c1efd6bad219b62b224b0e181de8b77ee4e02 | 111.90.147.110 | |
328c9827047c43f6e44641a0fa9cfd8d | 63660df7602191c226278902e159312a16a1c844db329cca146fb702a2a51256 | 154.216.19.222 | |
faf6dfb4a22e2a154f6fd2e75842510e | c0e84339533d57155132b05645961f77ac54774773cb54c20e05a83b71b08ebd | 103.153.76.111 | |
dc4841967f9dd9a62b89897f45b20db4 | a1c60f9507dc54e7da3b9113d734f39912f15a94fc95effafe7a6e06991fc73d | 89.249.73.162 | |
a9c3b2b6d05c8df20283b030b2451b05 | 1175d11454e59a13ace9b3c7201dff041691361ac23cbabdf11150b895f955b7 | 213.183.58.19 | |
5c482e2f743f26a08c2c635a631f2710 | 44c60a89bb1a3de59c88bb8cd3e866ebd245d413c22fcbd0bf5d51bb5650d935 | 23.106.127.123 | |
1d7d581c29836ce75b6ed778cd7d944f | 9dead7adbdd7610c8c93dfa730b6392f97c28496ce8ef9386877f58cbb937c90 | ||
8108df04c2d0f00c5497c2fd4bcfa37e | 1aea19477e1d5ab9e33bbddbb58eff5b8ca7b4edfd4b90a9f0250eb2d321c79a | ||
eec80238fe54bdb6c626e2d398b2f000 | 868bda619235945ebdda6ff9d5a75e67451685ade942754e7a02de84d77b2c5e | ||
c631ec8af8f0f0619ef0cc6646548c69 | f90d383845316922d60a00f1dec1b8a742b635dc33eea546ede20b5baf93a85b | ||
88c5403f0e15b16a179f49937d3138a4 | 7720c3ae81a4608dce049fd16fe6175fc046e2e19d8d51167c1f5f89567cb8af | ||
811f4abf4f54216467d9df42a1dc1779 | 6a80e27b1beb4566c94dd99a48c88c3441405a05027c1ded1b020174ef7c6bf0 | ||
cc9266ce2040c3a296ecd43d3ace5f58 | 0e14f7af2c3b01c1c018a018d2232ea9c2e0853fba7ab924b4f160cef1485e42 | ||
b9e5541151bf86850dc8bd04239c1a7e | 2498074c53dd11560b4c576ba8deab7e51d3a5e5b227c95cc0264405776065a7 | ||
a511e09f384a7d4624058a2b008dbfb8 | 32a317da4e48e09ad4c10a5783364d16c8e2f04565c5bcddcfeba9ebdd993529 | ||
d0b9e457b2d16d654f95b599d86da4c0 | ea15b09762985bc16b997558583acb28d9fd9e86eb95b2df204956211ec541d7 | ||
986168d4c6742f3ebeda92509d37bde1 | e28927b322db99c02ce13138cfb401f5abe4bde548c9beafb852ca52d7a49217 | ||
f2f958782af0c7184cc029b10c7a02e5 | cf3f0a73535894870ed1266fcd6d5698326a5823d7d880ae987b848ee5119bc2 | ||
094a6bc451b4af000bad12b147bc9ab0 | 24d40d5cea4f3e5944fb9ed436eaf2e270538d00afc5f39033c278f752ecf527 | ||
6fc2a60f7c07a3e9bb17419298d482b8 | 6d35f545a2a015c4ee10983680eacb808eb81271a29d2c35b93c6d96047dd408 |
RELATED
BianLian Data Extortion Group – Updated Advisory
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber…
Are You Using M365 Co-pilot? Beware of Missing Logs and Hidden Costs
Leveraging M365 Co-pilot’s AI capabilities can be transformative for organizations, but recent insights underscore that logging and auditing around Co-pilot…
RTM – Remote Monitoring & Management (RMM) Tools
Topic: Ransomware Tool Matrix Focus: Remote Monitoring & Management (RMM) Tools An RMM (Remote Monitoring and Management) tool is a…