What Is Remcos?
Remcos (short for Remote Control and Surveillance) is a commercial system administration application for XP and newer versions of Windows that threat actors have weaponized. Remcos is a closed-source application designed for network maintenance, system monitoring, surveillance, and penetration testing, but attackers use it to exploit target systems remotely. Although the vendor Breaking Security claims that Remcos is a legitimate security tool, it has been labeled as malware by CISA and included in its list of top malware strains of 2021.
Remcos’s malicious capabilities are nearly unlimited due to its robust feature set and ability to maintain persistent and high-privileged remote control of a victim’s system. It is commonly used to steal credentials, for man-in-the-middle (MiTM) internet connections, and to orchestrate zombie botnets that can launch synchronized distributed denial-of-service (DDoS) attacks. It was first released in 2016 and is sold for £58–389 ($66–439) depending on the number of included licenses and features.
How Remcos Works
Remcos is distributed via email phishing campaigns that attempt to trick targets into opening malicious Microsoft Office documents using social engineering tactics such as COVID-related spam. If a target opens the attached document and enables macros, Remcos’s stager can bypass Microsoft Windows’ User Account Control by hijacking the Windows Registry to execute the primary Remcos payload with high-level system privileges. To maintain persistent access to a compromised system, Remcos adds a Windows Registry AutoStart key to execute the malware once the infected system is restarted.
Remcos is a Windows-based application written in both C++ and Delphi. It is capable of multithreaded remote scripting for high-performance exploitation. It has multiple remote access options, such as command shell access, service manager interface, SOCKS5 remote proxy, and an easy-to-use administrator GUI.
Remcos uses a custom TCP-based protocol to establish encrypted connections and keepalive to maintain its command-and-control (C2) connection over unstable networks. These efficient and robust tools make Remcos the malware of choice for maintaining zombie botnets and proxying internet traffic on compromised hosts.
Signs of a Remcos Attack
Because Remcos is a pre-compiled proprietary software application, it produces reliable hash signatures. This means Remcos’s primary payload can be detected by most malware scanners when it enters the target network or host environment in an unencrypted format or at execution if it enters the network in an encrypted format.
Other Indicators of Compromise (IOCs) Associated with Remcos
- A computer freezes often, its fan is constantly on, or it generally operates with delayed responses
- Application windows open on their own without user interaction
- Out-of-place malvertising pop-ups appear during internet browsing
- URLs redirect users to spoofed sites that offer enticing offers such as free iPhones or iPads
How to Prevent a Remcos Attack
Preventing a Remcos attack requires a combination of several key defensive tactics, including:
- Installing and configuring an advanced endpoint security product on all devices to recognize Remcos as it enters the network and prevent its execution
- Ensuring that an effective and up-to-date email spam filter is in use to prevent Remcos’s first-stage attacks from reaching the inbox in the first place
- Providing user awareness training to personnel to decrease the likelihood of successful social engineering and phishing attacks
More Ways to Prevent a Successful Remcos Attack
- Use a spam filtering security product to identify first-stage Remcos phishing attachments and prevent them from hitting the inbox
- Install and configure advanced endpoint security products to detect the primary Remcos payload as it ingresses the network or before it executes
- Consider user awareness training to educate personnel about phishing techniques; develop standard operating procedures (SOPs) for handling suspicious emails and documents
- Configure email clients to notify users when emails originate from outside the organization
- Recognize the increased risk that files of unknown origin present and verify the context of such documents thoroughly before opening them
- Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
- Pay special attention to warning notifications in email clients and Office applications that can alert you to suspicious contexts, such as files that have not been scanned for malware or contain VBA macros