S0332 Remcos
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.32
| Item | Value |
|---|---|
| ID | S0332 |
| Associated Names | |
| Type | TOOL |
| Version | 1.3 |
| Created | 29 January 2019 |
| Last Modified | 23 December 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Remcos has a command for UAC bypassing.1 |
| enterprise | T1123 | Audio Capture | Remcos can capture data from the system’s microphone.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.1 |
| enterprise | T1115 | Clipboard Data | Remcos steals and modifies data from the clipboard.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Remcos can launch a remote command line to execute commands on the victim’s machine.1 |
| enterprise | T1059.006 | Python | Remcos uses Python scripts.3 |
| enterprise | T1083 | File and Directory Discovery | Remcos can search for files on the infected machine.3 |
| enterprise | T1105 | Ingress Tool Transfer | Remcos can upload and download files to and from the victim’s machine.3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Remcos has a command for keylogging.12 |
| enterprise | T1112 | Modify Registry | Remcos has full control of the Registry, including the ability to modify it.3 |
| enterprise | T1027 | Obfuscated Files or Information | Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.2 |
| enterprise | T1055 | Process Injection | Remcos has a command to hide itself through injecting into another process.1 |
| enterprise | T1090 | Proxy | Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.3 |
| enterprise | T1113 | Screen Capture | Remcos takes automated screenshots of the infected machine.3 |
| enterprise | T1125 | Video Capture | Remcos can access a system’s webcam and take pictures.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Remcos searches for Sandboxie and VMware on the system.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0078 | Gorgon Group | 5 |
| G0140 | LazyScripter | 6 |
References
-
Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. ↩↩↩↩↩↩↩
-
Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018. ↩↩↩↩
-
Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. ↩↩↩↩↩↩↩↩
-
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. ↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩