Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

ID: S0332
Type: TOOL
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Remcos can capture data from the system’s microphone.[3]

Enterprise T1088 Bypass User Account Control

Remcos has a command for UAC bypassing.[3]

Enterprise T1115 Clipboard Data

Remcos steals and modifies data from the clipboard.[1]

Enterprise T1059 Command-Line Interface

Remcos can launch a remote command line to execute commands on the victim’s machine.[3]

Enterprise T1090 Connection Proxy

Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[1]

Enterprise T1083 File and Directory Discovery

Remcos can search for files on the infected machine.[1]

Enterprise T1056 Input Capture

Remcos has a command for keylogging.[3][2]

Enterprise T1112 Modify Registry

Remcos has full control of the Registry, including the ability to modify it.[1]

Enterprise T1027 Obfuscated Files or Information

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[2]

Enterprise T1055 Process Injection

Remcos has a command to hide itself through injecting into another process.[3]

Enterprise T1060 Registry Run Keys / Startup Folder

Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[3]

Enterprise T1105 Remote File Copy

Remcos can upload and download files to and from the victim’s machine.[1]

Enterprise T1113 Screen Capture

Remcos takes automated screenshots of the infected machine.[1]

Enterprise T1064 Scripting

Remcos uses Python scripts.[1]

Enterprise T1125 Video Capture

Remcos can access a system’s webcam and take pictures.[3]

Enterprise T1497 Virtualization/Sandbox Evasion

Remcos searches for Sandboxie and VMware on the system.[2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group [4]

References