Remcos (Remote Control and Surveillance) is a Remote Access Tool (RAT) that anyone can purchase and use for whatever purpose they wish. The tool itself is presented as legitimate, however, although Remcos’s developers strictly forbid misuse, some cyber criminals use this tool to generate revenue by various malicious means. Research shows that many cybercriminals proliferate these infections using spam email campaigns. Some examples include “DHL Email Virus” and “Arrival Notice Email Virus”.

Remcos RAT is that it uses C++ and the CRT quite heavily. This leads to the output file being rather large (though still small by some standards) at 120kb. Another interesting thing is that Remcos allows you to extract the license (which is most likely based on the HWID) of the individual who created the stub easily by executing the file with the -l switch. If the sample is packed by a crypter that does not pass the command line parameter, you’ll have to unpack it first.

Remcos is a full-blown remote-control utility capable to handle connections to multiple systems at the same time. Its administrator has complete access to the remote machines and benefits from powerful management, surveillance and network functions. According to Cisco telemetry, Remcos has been involved in multiple malware campaigns that used various methods to avoid detection. Some of the malicious endeavors targeted defense contractors, international news agencies, Diesel equipment manufacturers, and service providers in the energy and maritime industry.

As mentioned above, Remcos is typically proliferated using spam campaigns. Users receive deceptive emails that contain malicious MS Office attachments. The messages typically state that the user has received a package, has a bill to pay, or similar. In any case, users are encouraged to open the attachment immediately. Once opened, the file encourages users to enable macro commands, otherwise, the content will not be displayed properly.

By enabling macros, users grant files permission to execute commands that infiltrate viruses into the system. This malware distribution method is simple and effective but does have flaws. The malware will only be downloaded if the user opens attachments using MS Office. If the file is opened using any other software, the virus will not be able to infiltrate the system. Furthermore, Remcos works only on the Windows Operating System and users of other platforms are safe.

For more Cyber Security Information contact us at