1. Home
  2. Software
  3. Remcos

Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

ID: S0332
Type: TOOL
Platforms: Windows
Version: 1.3
Created: 29 January 2019
Last Modified: 23 December 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[1]
Enterprise T1112 修改注册表

Remcos has full control of the Registry, including the ability to modify it.[1]
Enterprise T1115 剪贴板数据

Remcos steals and modifies data from the clipboard.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[3]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Remcos can launch a remote command line to execute commands on the victim’s machine.[3]
.006 命令与脚本解释器: Python

Remcos uses Python scripts.[1]
Enterprise T1113 屏幕捕获

Remcos takes automated screenshots of the infected machine.[1]
Enterprise T1083 文件和目录发现

Remcos can search for files on the infected machine.[1]
Enterprise T1027 混淆文件或信息

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[2]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Remcos has a command for UAC bypassing.[3]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Remcos searches for Sandboxie and VMware on the system.[2]
Enterprise T1125 视频捕获

Remcos can access a system’s webcam and take pictures.[3]
Enterprise T1105 输入工具传输

Remcos can upload and download files to and from the victim’s machine.[1]
Enterprise T1056 .001 输入捕获: Keylogging

Remcos has a command for keylogging.[3][2]
Enterprise T1055 进程注入

Remcos has a command to hide itself through injecting into another process.[3]
Enterprise T1123 音频捕获

Remcos can capture data from the system’s microphone.[3]

Groups That Use This Software

ID Name References
G0140 LazyScripter

[4]
G0078 Gorgon Group

[5]

Campaigns

ID Name Description
C0005 Operation Spalax

[6]

References

  1. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  2. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  3. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  2. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  3. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.