Remcos Rat

Malware updated a month ago (2024-11-29T14:01:18.654Z)
Download STIX
Preview STIX
Remcos RAT is a fully functional Remote Access Trojan (RAT) malware, which has been increasingly deployed using creative techniques to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without being detected. Notably, the EXE payload of Remcos RAT employs null byte injection, a method used to evade detection by security products. The malware is commonly distributed via malicious Microsoft Office documents named Quotation.xls or Quotation.doc, likely attached to spam emails. Once activated, the executable initiates subsequent attack stages. Over the past year, Remcos RAT spyware has targeted organizations in Eastern Europe and accountants in the United States. It leverages an old Windows User Account Control (UAC) bypass technique and has also been involved in campaigns ahead of tax filing deadlines in the U.S. Earlier this year, a threat actor known as UNC-0050, notorious for targeting Ukrainian organizations with Remcos RAT, was discovered launching a novel attack on Ukraine's government using a rare data transfer tactic. A specific campaign discovered in January uses a unique infection routine involving a piece of code tagged "racon". This code fetches the second-stage payload and performs connectivity checks and campaign analytics. The loader locates and extracts the Remcos RAT code, smuggled onto a victim machine within the IDAT block of an embedded steganographic .PNG image. In this campaign, the downloaded payloads are remote access trojans, specifically Async RAT and Remcos RAT. The use of the same beacon IP addresses by both Remcos RAT and Quasar RAT malware samples suggests a connection between these threats.
Description last updated: 2024-07-24T12:15:53.607Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Remcos
Payload
Rat
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Remcos Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more