Home
Software
Remcos

Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security.Remcos has been observed being used in malware campaigns.^[1]^[2]

ID: S0332

ⓘ

Type: TOOL

ⓘ

Platforms: Windows

Version: 1.3

Created: 29 January 2019

Last Modified: 16 April 2025

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.002	Abuse Elevation Control Mechanism:Bypass User Account Control	Remcos has a command for UAC bypassing.^[3]
Enterprise	T1123		Audio Capture	Remcos can capture data from the system’s microphone.^[3]
Enterprise	T1547	.001	Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder	Remcos can add itself to the Registry key`HKCU\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.^[3]
Enterprise	T1115		Clipboard Data	Remcos steals and modifies data from the clipboard.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter:Windows Command Shell	Remcos can launch a remote command line to execute commands on the victim’s machine.^[3]
		.006	Command and Scripting Interpreter:Python	Remcos uses Python scripts.^[1]
Enterprise	T1083		File and Directory Discovery	Remcos can search for files on the infected machine.^[1]
Enterprise	T1105		Ingress Tool Transfer	Remcos can upload and download files to and from the victim’s machine.^[1]
Enterprise	T1056	.001	Input Capture:Keylogging	Remcos has a command for keylogging.^[3]^[2]
Enterprise	T1112		Modify Registry	Remcos has full control of the Registry, including the ability to modify it.^[1]
Enterprise	T1027		Obfuscated Files or Information	Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.^[2]
Enterprise	T1055		Process Injection	Remcos has a command to hide itself through injecting into another process.^[3]
Enterprise	T1090		Proxy	Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.^[1]
Enterprise	T1113		Screen Capture	Remcos takes automated screenshots of the infected machine.^[1]
Enterprise	T1125		Video Capture	Remcos can access a system’s webcam and take pictures.^[3]
Enterprise	T1497	.001	Virtualization/Sandbox Evasion:System Checks	Remcos searches for Sandboxie and VMware on the system.^[2]

Groups That Use This Software

ID	Name	References
G0140	LazyScripter	^[4]
G0047	Gamaredon Group	^[5]
G0078	Gorgon Group	^[6]

Campaigns

ID	Name	Description
C0005	Operation Spalax	^[7]

References

Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.

Movatterモバイル変換