Remcos remote access tool offered for sales by a company called Breaking Security and the license ranges from €58.00 to €389.00 based on the license. The tool contains a number of surveillance functions.
It was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, the RAT gives complete remote access to the attacker and it is supported from Windows XP to all versions including server editions.
Researchers from Cisco spotted several malware campaigns that attempt to install the RAT on various endpoints. The RAT gives everything that attacker required to run an illegal bot.
Remcos RAT Distribution
Remcos advertised on various underground forums which allows threats actors to leverage this malware to launch a variety of attacks to infect the system.
Earlier this year threat actors targeted defense contractors in Turkey with Remcos, Talos now confirmed the attacker also targeting the following organizations.
- International news agencies
- Diesel equipment manufacturers and service providers operating within the maritime and energy sector
- HVAC service providers operating within the energy sector
The attack starts with a well-crafted spear phishing email that poses to be from the Turkish government agency related to tax reporting for the victim’s organization and the email contains malicious Microsoft Office and Excel documents attached.
Talos observed most of the documents are blurred and contains unclear images to lure victim’s to enable macros and view the content.
The macro in this file contains an executable when executed the macros reconstruct the executable and save in the %Temp% or %AppData% locations.
The Executable then downloads the Remcos malware which gives an attacker a complete control over the victim’s machine. The Remcos RAT is capable of monitoring keystrokes, take remote screen captures, manage files, execute commands on infected systems and more.
“Organizations should ensure that they are implementing security controls to combat Remcos, it is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to.”