Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

ID: S0332
Type: TOOL
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1123Audio CaptureRemcos can capture data from the system’s microphone.[3]
EnterpriseT1088Bypass User Account ControlRemcos has a command for UAC bypassing.[3]
EnterpriseT1115Clipboard DataRemcos steals and modifies data from the clipboard.[1]
EnterpriseT1059Command-Line InterfaceRemcos can launch a remote command line to execute commands on the victim’s machine.[3]
EnterpriseT1090Connection ProxyRemcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[1]
EnterpriseT1083File and Directory DiscoveryRemcos can search for files on the infected machine.[1]
EnterpriseT1056Input CaptureRemcos has a command for keylogging.[3][2]
EnterpriseT1112Modify RegistryRemcos has full control of the Registry, including the ability to modify it.[1]
EnterpriseT1027Obfuscated Files or InformationRemcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[2]
EnterpriseT1055Process InjectionRemcos has a command to hide itself through injecting into another process.[3]
EnterpriseT1060Registry Run Keys / Startup FolderRemcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[3]
EnterpriseT1105Remote File CopyRemcos can upload and download files to and from the victim’s machine.[1]
EnterpriseT1113Screen CaptureRemcos takes automated screenshots of the infected machine.[1]
EnterpriseT1064ScriptingRemcos uses Python scripts.[1]
EnterpriseT1125Video CaptureRemcos can access a system’s webcam and take pictures.[3]
EnterpriseT1497Virtualization/Sandbox EvasionRemcos searches for Sandboxie and VMware on the system.[2]


Groups that use this software:

Gorgon Group