Dangerous Remcos RAT Used In Attack Campaigns

The Remcos RAT which was discovered last year by security experts was observed to be used in live attacks around the world. Continue reading our article to learn more about the dangerous campaigns.

Remcos Attacks Spotted

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The Remcos RAT is one of the better known tools which have been put on sale in the various hacker underground black markets. The tool has been updated several times since its inception and its latest version was spotted in being used in a series of attack campaigns. The malware was initially promoted for sale in the second half of 2016 and depending on its configuration it can now be acquired for a price between 58-389 US Dollars. The price fluctuates depending on the chosen license period to use the C&C servers and the number of supported clients. The current version of Remcos is 1.7.3 and it is distributed using various infected Microsoft Office documents.

The payload is delivered via crafted files named Quotations.xls or Quotation.doc which are delivered mainly by email spam messages. The hackers use social engineering tricks to make the victims run the documents. The files themselves use obfuscated macros which when executed run shell commands that bypass the User Account Control (UAC) prompts and run the malicious code with elevated privileges. The Remcos RAT uses only UPX and MPRESS1 packers to compress and hide away its server component. An in-depth analysis shows that an extra custom packer was also used. The server module is made up of a variant based on version 1.7.3 which was released on January 23 2017. The performed analysis shows that the server component can execute any of the commands and instructions which are available in the client versions. The client control window itself is made up of five tabs each with its own functions:

  1. Connections – Used for monitoring all active connections. Remote arbitrary command is also done using this component. The criminals can also take screenshots of the infected hosts, search for specific files, view any running processes, capture keystrokes, steal account credentials and access the webcam and microphone.

  2. Automatic Tasks – The server component can execute predefined functions without any activity from the client’s side when a connection has been established.

  3. Local Settings – This tab provides access to the client settings. This allows the attackers to configure the listening port on the client machine and the passwords necessary to connect to it. The Remcos RAT uses this password for both encrypting the network traffic using the RC4 algorithm and for authentication.

  4. Builder – This tab allows the criminals to customize key parameters of the server binary. Several sub sections are available – Connection (setting up the client IP addresses and relevant ports), Installation (setting up installation-related variables), Stealth (setting up stealth protection mechanisms), Keylogger (options for the built-in keylogger), Surveillance (screenshot options) and Build (packing the server binary).

  5. Event Log – This tab displays the connection log with the server. In-depth information regarding the client’s status is also shown.

Various attack campaigns are carried out globally. To protect computers from the dangerous threat and remove active infections we recommend that everyone use a quality anti-spyware solution.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *