Remcos Rat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Remcos RAT is a fully functional Remote Access Trojan (RAT) malware that has been increasingly used in sophisticated cyberattacks. It is distributed through malicious Microsoft Office documents, usually named "Quotation.xls" or "Quotation.doc," which are likely attached to spam emails. Upon activation of the executable, the attack progresses to subsequent stages. Notably, the EXE payload of Remcos RAT uses null byte injection, a technique designed to evade detection by security products. The malware is capable of stealing personal information, disrupting operations, and potentially holding data for ransom. In recent campaigns, the payloads being downloaded are remote access trojans, specifically Async RAT and Remcos RAT. The latter has been found targeting organizations in Eastern Europe using an old Windows UAC bypass technique, and was involved in a campaign last March and April targeting accountants ahead of the tax filing deadline in the United States. In another instance, a threat actor known as UNC-0050, notorious for repeatedly targeting Ukrainian organizations with Remcos RAT, was discovered launching a novel attack on the country's government using a rare data transfer tactic. The infection routine of this specific campaign, first identified in January, begins with a piece of code tagged "racon." This code fetches the second-stage payload and performs connectivity checks and campaign analytics. The loader locates and extracts the Remcos RAT code, which is concealed within the IDAT block of an embedded steganographic .PNG image—a method known as steganography. A decoy PDF that displays a "page not found" error is downloaded and opened while the malicious Remcos RAT operates in the background.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Remcos
Rat
Payload
Loader
Spyware
Windows
Decoy
Malware
Spam
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Remcos Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT
CERT-EU
9 months ago
How Much Does Your Information Cost?
CERT-EU
a year ago
Unraveling the Illusion of Trust: The Innovative Attack Methodology Leveraging the "search-ms" URI Protocol Handler
MITRE
a year ago
REMCOS: A New RAT In The Wild
CERT-EU
a year ago
GuLoader Campaign Targets Law Firms in the US