1. Home
  2. Software
  3. Remcos

Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

ID: S0332
Type: TOOL
Platforms: Windows
Version: 1.3
Created: 29 January 2019
Last Modified: 23 December 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Remcos has a command for UAC bypassing.[3]
Enterprise T1123 Audio Capture

Remcos can capture data from the system’s microphone.[3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[3]
Enterprise T1115 Clipboard Data

Remcos steals and modifies data from the clipboard.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Remcos can launch a remote command line to execute commands on the victim’s machine.[3]
.006 Command and Scripting Interpreter: Python

Remcos uses Python scripts.[1]
Enterprise T1083 File and Directory Discovery

Remcos can search for files on the infected machine.[1]
Enterprise T1105 Ingress Tool Transfer

Remcos can upload and download files to and from the victim’s machine.[1]
Enterprise T1056 .001 Input Capture: Keylogging

Remcos has a command for keylogging.[3][2]
Enterprise T1112 Modify Registry

Remcos has full control of the Registry, including the ability to modify it.[1]
Enterprise T1027 Obfuscated Files or Information

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[2]
Enterprise T1055 Process Injection

Remcos has a command to hide itself through injecting into another process.[3]
Enterprise T1090 Proxy

Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[1]
Enterprise T1113 Screen Capture

Remcos takes automated screenshots of the infected machine.[1]
Enterprise T1125 Video Capture

Remcos can access a system’s webcam and take pictures.[3]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Remcos searches for Sandboxie and VMware on the system.[2]

Groups That Use This Software

ID Name References
G0140 LazyScripter

[4]
G0078 Gorgon Group

[5]

Campaigns

ID Name Description
C0005 Operation Spalax

[6]

References

  1. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  2. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  3. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  2. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  3. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.