Skip to content

S0332 Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.32

Item Value
ID S0332
Associated Names
Type TOOL
Version 1.3
Created 29 January 2019
Last Modified 23 December 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Remcos has a command for UAC bypassing.1
enterprise T1123 Audio Capture Remcos can capture data from the system’s microphone.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.1
enterprise T1115 Clipboard Data Remcos steals and modifies data from the clipboard.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Remcos can launch a remote command line to execute commands on the victim’s machine.1
enterprise T1059.006 Python Remcos uses Python scripts.3
enterprise T1083 File and Directory Discovery Remcos can search for files on the infected machine.3
enterprise T1105 Ingress Tool Transfer Remcos can upload and download files to and from the victim’s machine.3
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Remcos has a command for keylogging.12
enterprise T1112 Modify Registry Remcos has full control of the Registry, including the ability to modify it.3
enterprise T1027 Obfuscated Files or Information Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.2
enterprise T1055 Process Injection Remcos has a command to hide itself through injecting into another process.1
enterprise T1090 Proxy Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.3
enterprise T1113 Screen Capture Remcos takes automated screenshots of the infected machine.3
enterprise T1125 Video Capture Remcos can access a system’s webcam and take pictures.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Remcos searches for Sandboxie and VMware on the system.2

Groups That Use This Software

ID Name References
G0078 Gorgon Group 5
G0140 LazyScripter 6

References