Remcos

Tool updated 4 days ago (2024-09-04T12:16:17.253Z)
Download STIX
Preview STIX
Remcos is a software tool that, while not inherently malicious, can be used as part of a cyber attack. The tool has been observed to possess uncommon functionalities such as man-in-the-middle (MITM) capabilities, password stealing, tracking browser history, stealing cookies, keylogging, and webcam control. It has been utilized in various phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland, distributing different malware families like Agent Tesla, Formbook, and Remcos RAT. In addition, it has been employed as a first-stage PE payload in Mallox attacks, typically serving as a sample of the Remcos RAT used for remote access to the compromised network, or as a .NET downloader fetching the second-stage PE payload. In recent campaigns, X-Force has identified Remcos as the most common payload, often used in conjunction with other Remote Access Trojans (RATs) such as njRAT and AsyncRAT. One instance involved a malspam message containing a VBS attachment, which acted as the first-stage downloader for the Remcos RAT. Other instances have seen the use of encrypted and decrypted Remcos payloads, with specific MD5 descriptions and URLs provided for download. The attackers have also used Base64-encoded PowerShell scripts to download the final payload – a variant of Remcos RAT. The distribution of Remcos has proven lucrative, with estimates suggesting a monthly income of $15,000 from sales of Remcos and other services at the VgoStore website. Furthermore, the Remcos RAT has been found in a "script protected file" with a C&C server at “84.21.172.48:1040″, indicating its widespread use in cyberattacks. In another case, a ZIP contained HijackLoader, which loaded the Remcos RAT. Notably, Remcos Rat and Quasar Rat malware samples were found using the same beacon IP addresses, pointing to a potential shared source or operator.
Description last updated: 2024-09-04T12:16:17.215Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cloudeye
2
Cloudeye, also known as GuLoader, is a sophisticated malware that has been active for over three years and continues to evolve. First spotted in late 2019, it is an advanced shellcode-based malware downloader used to distribute a range of payloads, such as information stealers, while incorporating n
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Rat
Ransomware
Phishing
Backdoor
Loader
Trojan
Exploit
Downloader
Windows
Crypter
Ransom
Vulnerability
Ukraine
Spam
Keylogging
Cybercrime
Botnet
Encryption
Infostealer
Ukrainian
Espionage
Malware Loader
Discord
Net
Spyware
Antivirus
WinRAR
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
GuLoaderUnspecified
9
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
AsyncRATUnspecified
6
AsyncRAT is a form of malware, malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once installed, it can steal personal information, disrupt operations, or even hold data hostage
XwormUnspecified
5
XWorm is a multifaceted malware that has been observed to exploit vulnerabilities in ScreenConnect, a remote access software. This malware provides threat actors with remote access capabilities and the potential to spread across networks, exfiltrate sensitive data, and download additional payloads.
Remcos RatUnspecified
4
Remcos RAT is a fully functional Remote Access Trojan (RAT) malware, which has been increasingly deployed using creative techniques to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without being detected. Notably, the EXE payl
Agent TeslaUnspecified
4
Agent Tesla is a type of malware, or malicious software, that exploits and damages computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
QakBotUnspecified
4
Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
FormbookUnspecified
4
Formbook is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It was first discovered in 2016 and has since been used in various cyber attacks worldwide. The malware can infect systems through suspicious downloads, emails, or websites, often withou
DoublefingerUnspecified
3
DoubleFinger, a sophisticated malware originating from China, was reported in June 2023 to be used in complex attacks aimed at stealing cryptocurrency. The malware operates as a five-stage, shellcode-style loader that conceals its payloads within PNG image files, which it downloads from the image-sh
BatcloakUnspecified
3
BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository
MalloxUnspecified
3
Mallox is a potent and evolving malware, first identified in 2021, that operates primarily as ransomware. It infiltrates networks predominantly via SQL servers, encrypts victims' files, and appends various extensions such as .ma1x0, .cookieshelper, and .karsovrop. Upon successful encryption, Mallox
QbotUnspecified
3
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
SystembcUnspecified
2
SystemBC is a type of malware, or malicious software, that has been heavily utilized in cyber-attacks and data breaches. Throughout 2023, it was frequently used in conjunction with other malware like Quicksand and BlackBasta by cybercriminals to exploit vulnerabilities in computer systems. Play rans
GreetingghoulUnspecified
2
GreetingGhoul is a sophisticated malware designed to steal cryptocurrency, primarily deployed through the DoubleFinger loader, a five-stage shellcode-style loader that hides payloads in PNG image files. First reported on June 12, 2023, the DoubleFinger loader uses a technique known as Process Doppel
ytyUnspecified
2
In late January 2018, ASERT discovered a new modular malware framework known as "yty". This malicious software, designed to exploit and damage computer systems, was found to be associated with the Donot Team, a group known for its use of modular/plugin-based malware frameworks. The yty malware focus
TargetcompanyUnspecified
2
TargetCompany is a known malware entity, often referred to as Mallox, Tohnichi, or Fargo in various articles and blog posts. This malicious software is designed to infiltrate and damage computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, o
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
njRATUnspecified
2
NjRAT is a remote-access Trojan (RAT) that has been prevalent in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos, AsyncRAT, Lime-RAT, Quasar RAT, BitRAT, among others. These malicious programs are typically customized for e
AmadeyUnspecified
2
Amadey is a sophisticated malware that has been identified as being used in various malicious campaigns. The malware is typically delivered through GuLoader, a loader known for its use in protecting payloads against antivirus detection. Analysis of the infection chains revealed encrypted Amadey payl
SmokeloaderUnspecified
2
Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'
AgentteslaUnspecified
2
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
Remcos PayloadUnspecified
2
The Remcos payload is a type of malware that is designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, o
HijackloaderUnspecified
2
HijackLoader is a rapidly growing malware in the cybercrime community, designed to exploit and damage computer systems. It operates as a modular multi-stage loader with a strong focus on evading detection, making it a potent threat to cybersecurity. The malware infects systems through suspicious dow
The ProtectorUnspecified
2
"The Protector" is a malware identified as the Visual Basic Script (VBS) version of GuLoader. This malicious software, designed to exploit and damage computer systems, infiltrates through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal infor
DarkgateUnspecified
2
DarkGate is a malicious software (malware) designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once embedded in a system, DarkGate can steal personal information, disrupt operations, or hold data for ransom. Recently, the malware was
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
DarkmeUnspecified
3
DarkMe is a threat actor group, also known as DarkCasino or Water Hydra, that has been actively executing large-scale cyberattacks since 2022. The group primarily uses a Visual Basic spy Trojan, also named DarkMe, in its operations. This Trojan was developed by the group in 2021 and has been continu
SnakeUnspecified
2
Snake, also known as EKANS, is a threat actor first identified by Dragos on January 6, 2020. This malicious entity is notorious for its deployment of ransomware and keyloggers, primarily targeting business networks. The Snake ransomware variant has been linked to Iran and exhibits an industrial focu
SidewinderUnspecified
2
Sidewinder is a threat actor group that has been active since at least 2012, with possible origins in South Asia. The group has a history of malicious activities and has been linked to a variety of cyber threats, including the use of the Nim backdoor payload. Sidewinder has targeted entities in mult
Source Document References
Information about the Remcos Tool was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
4 days ago
Evolution of Mallox: from private ransomware to RaaS
SANS ISC
a month ago
Script obfuscation using multiple instances of the same function - SANS Internet Storm Center
DARKReading
a month ago
CrowdStrike 'Updates' Deliver Malware & More as Attacks Snowball
Securityaffairs
a month ago
Phishing campaigns target SMBs in Poland
Unit42
a month ago
Accelerating Analysis When It Matters
Securityaffairs
2 months ago
Threat actors attempted to capitalize CrowdStrike incident
Securityaffairs
2 months ago
Threat actors attempted to capitalize CrowdStrike incident
Flashpoint
3 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
Securelist
4 months ago
APT trends report Q1 2024 – Securelist
BankInfoSecurity
5 months ago
Steganography Campaign Targets Global Enterprises
Checkpoint
5 months ago
15th April – Threat Intelligence Report - Check Point Research
DARKReading
5 months ago
Cagey Phishing Attack Drops Multiple RATs to Steal Data
DARKReading
6 months ago
Hackers Posing as Law Firms Phish Global Orgs
CERT-EU
6 months ago
North American manufacturing subjected to Ande Loader malware compromise
CERT-EU
6 months ago
Cyber Security Week in Review: March 15, 2024
CERT-EU
6 months ago
Cyber Security Week in Review: March 1, 2024
Malwarebytes
6 months ago
Stopping a targeted attack on a Managed Service Provider (MSP) with ThreatDown MDR | Malwarebytes
Securityaffairs
6 months ago
IDAT Loader used to infect a Ukraine entity in Finland with Remcos RAT
DARKReading
6 months ago
UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT
CERT-EU
8 months ago
JinxLoader Malware: Next-Stage Payload Threats Revealed