Remcos

Tool updated a month ago (2024-11-15T16:13:56.265Z)
Download STIX
Preview STIX
Remcos is a commercially available remote access tool (RAT) that has been repurposed by threat actors for malicious use. This software, which can be utilized as part of a cyber attack, has been observed being used in various recent campaigns, most notably those detected by X-Force. In these instances, Remcos was the most common payload delivered. The malware code of Remcos is concealed within several layers of script languages such as JavaScript, VBScript, and PowerShell to evade detection and facilitate full control over Microsoft Windows devices. Threat actors have also employed other RATs including njRAT and AsyncRAT, but Remcos remains prevalent. The remodeled version of Remcos exploits a known remote code execution (RCE) vulnerability in unpatched Microsoft Office and WordPad applications. Once it bypasses anti-analysis defenses, it performs process hollowing to execute malicious code in a new process named “Vaccinerende.exe.” This not only ensures persistence on the victim’s device but also downloads and decrypts the Remcos payload file. Additionally, Remcos includes a function that interprets control command data received from the server and executes corresponding actions on the victim's device. Remcos collects basic information from the victim's device, including the OS information and local file paths. It sends a 4Fh command packet with a collected process list, detailing the process name, PID, architecture (64bit or 32bit), and the full path. The variant of Remcos observed in these attacks has the hardcoded string "5.1.2 Pro", indicating the specific version being used. To mitigate the risk posed by Remcos, it is advised to regularly patch systems, train users about potential threats, and employ robust endpoint protection.
Description last updated: 2024-11-15T16:13:56.242Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Cloudeye is a possible alias for Remcos. Cloudeye, also known as GuLoader, is a sophisticated malware that has been active for over three years and continues to evolve. First spotted in late 2019, it is an advanced shellcode-based malware downloader used to distribute a range of payloads, such as information stealers, while incorporating n
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Payload
Ransomware
Phishing
Loader
Backdoor
Trojan
Windows
Downloader
Crypter
Ransom
Exploit
Cybercrime
Tool
Ukraine
Vulnerability
Spam
Botnet
Encryption
Infostealer
Ukrainian
Espionage
Malware Loader
Discord
Net
Spyware
Antivirus
WinRAR
Keylogging
PowerShell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The GuLoader Malware is associated with Remcos. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for rUnspecified
9
The Xworm Malware is associated with Remcos. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operatiUnspecified
7
The AsyncRAT Malware is associated with Remcos. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, raUnspecified
6
The Formbook Malware is associated with Remcos. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
5
The Remcos Rat Malware is associated with Remcos. Remcos RAT is a fully functional Remote Access Trojan (RAT) malware, which has been increasingly deployed using creative techniques to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without being detected. Notably, the EXE paylUnspecified
4
The QakBot Malware is associated with Remcos. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
4
The Agent Tesla Malware is associated with Remcos. Agent Tesla is a well-known malware that primarily targets systems through phishing attacks, exploiting an outdated Microsoft Office vulnerability (CVE-2017-11882). This malicious software is designed to infiltrate computer systems, often without the user's knowledge, and can steal personal informatUnspecified
4
The Qbot Malware is associated with Remcos. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
3
The Mallox Malware is associated with Remcos. Mallox is a potent malware that has been causing significant disruption in the digital world. This ransomware, primarily infiltrating networks via SQL servers, has shown its ability to adapt and evolve over time. PCrisk has identified new variants of Mallox that append extensions such as .ma1x0, .coUnspecified
3
The Doublefinger Malware is associated with Remcos. DoubleFinger, a sophisticated malware originating from China, was reported in June 2023 to be used in complex attacks aimed at stealing cryptocurrency. The malware operates as a five-stage, shellcode-style loader that conceals its payloads within PNG image files, which it downloads from the image-shUnspecified
3
The Batcloak Malware is associated with Remcos. BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository Unspecified
3
The Remcos Payload Malware is associated with Remcos. The Remcos payload is a form of malware that infiltrates computer systems and devices, causing significant damage by stealing personal information, disrupting operations, or holding data for ransom. The malware typically enters a system through suspicious downloads, emails, or websites without the uUnspecified
3
The The Protector Malware is associated with Remcos. "The Protector" is a malware identified as the Visual Basic Script (VBS) version of GuLoader. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal inforUnspecified
2
The Greetingghoul Malware is associated with Remcos. GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process DoppelUnspecified
2
The yty Malware is associated with Remcos. In late January 2018, ASERT discovered a new modular malware framework known as "yty". This malicious software, designed to exploit and damage computer systems, was found to be associated with the Donot Team, a group known for its use of modular/plugin-based malware frameworks. The yty malware focusUnspecified
2
The Targetcompany Malware is associated with Remcos. TargetCompany is a known malware entity, often referred to as Mallox, Tohnichi, or Fargo in various articles and blog posts. This malicious software is designed to infiltrate and damage computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, oUnspecified
2
The Lokibot Malware is associated with Remcos. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
2
The NETWIRE Malware is associated with Remcos. NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing atUnspecified
2
The njRAT Malware is associated with Remcos. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, dUnspecified
2
The Amadey Malware is associated with Remcos. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includUnspecified
2
The Redline Stealer Malware is associated with Remcos. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
2
The Smokeloader Malware is associated with Remcos. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
2
The Agenttesla Malware is associated with Remcos. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransUnspecified
2
The Hijackloader Malware is associated with Remcos. HijackLoader is a new and rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once infiltrated, HijackLoader can steal personal Unspecified
2
The Rhadamanthys Malware is associated with Remcos. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactUnspecified
2
The Darkgate Malware is associated with Remcos. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The Systembc Malware is associated with Remcos. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Darkme Threat Actor is associated with Remcos. DarkMe is a threat actor group, also known as DarkCasino or Water Hydra, that has been active since 2022. They have gained notoriety for their use of the Trojan DarkMe in large-scale cyberattacks, primarily targeting financial institutions. The Trojan DarkMe, a Visual Basic spy Trojan, is a common tUnspecified
3
The Sidewinder Threat Actor is associated with Remcos. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its uUnspecified
2
Source Document References
Information about the Remcos Tool was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
6 days ago
DARKReading
a month ago
Fortinet
2 months ago
InfoSecurity-magazine
2 months ago
Malware-traffic-analysis.net
3 months ago
Securelist
4 months ago
SANS ISC
5 months ago
DARKReading
5 months ago
Securityaffairs
5 months ago
Unit42
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Flashpoint
7 months ago
Securelist
8 months ago
BankInfoSecurity
8 months ago
Checkpoint
8 months ago
DARKReading
9 months ago
DARKReading
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago