Register to stream ATT&CKcon 2.0 October 29-30

Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

ID: S0332
Type: TOOL
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture Remcos can capture data from the system’s microphone. [3]
Enterprise T1088 Bypass User Account Control Remcos has a command for UAC bypassing. [3]
Enterprise T1115 Clipboard Data Remcos steals and modifies data from the clipboard. [1]
Enterprise T1059 Command-Line Interface Remcos can launch a remote command line to execute commands on the victim’s machine. [3]
Enterprise T1090 Connection Proxy Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying. [1]
Enterprise T1083 File and Directory Discovery Remcos can search for files on the infected machine. [1]
Enterprise T1056 Input Capture Remcos has a command for keylogging. [3] [2]
Enterprise T1112 Modify Registry Remcos has full control of the Registry, including the ability to modify it. [1]
Enterprise T1027 Obfuscated Files or Information Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths. [2]
Enterprise T1055 Process Injection Remcos has a command to hide itself through injecting into another process. [3]
Enterprise T1060 Registry Run Keys / Startup Folder Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence. [3]
Enterprise T1105 Remote File Copy Remcos can upload and download files to and from the victim’s machine. [1]
Enterprise T1113 Screen Capture Remcos takes automated screenshots of the infected machine. [1]
Enterprise T1064 Scripting Remcos uses Python scripts. [1]
Enterprise T1125 Video Capture Remcos can access a system’s webcam and take pictures. [3]
Enterprise T1497 Virtualization/Sandbox Evasion Remcos searches for Sandboxie and VMware on the system. [2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group [4]

References