XenonStack Recommends

Security Intelligence

Remcos RAT: A Phishing Email Empowers the Attacker to take Control

Parveen Bhandari | 20 Aug 2022

Remcos Rat Virus

Remcos RAT

Remcos was initially noticed in 2016 and has since evolved. It is widely accessible on the dark web and is updated once a month with new features. It appears in an MS Office file that prompts users to enable macros when opened after being downloaded through a phishing email. Remcos completes the invasion by employing obfuscation and anti-debugging tactics, prevalent malware delivery methods.

Remcos RAT is a piece of malware that targets Windows-based computers and provides the attacker complete control over the machine. Remcos is supplied in stages to avoid discovery and uses various obfuscation and anti-debugging measures. The malware's authors keep its features updated regularly, making it a problematic enemy to combat. A keylogger, a mass-mailer, and a DynDNS service are other features.

Remcos is a threat that is both dynamic and flexible. Consider a well-run business that is knowledgeable, systematic, and professional. Remco is freely available, although the designers' identities are unknown. In addition, it is updated regularly. It usually comes in a phishing email that infects the system. It works the same way as a traditional trojan: an innocent-looking file executes a malicious script, which downloads and installs the malware. It then destroys these stages and employs anti-debugging techniques to avoid detection by standard anti-virus software.

The attacker can then take control of the infected system from afar. It's anyone's guess what the attacker will do. They use a phishing email to initially download a sample XLS file for analysis. A dangerous script was executed when this file was opened. The next assault payload was then downloaded using this obfuscated script. This payload is also obfuscated and performs the tasks listed below.

  • Another payload has been downloaded.
  • Rename and move this payload to a new location.
  • Change REGEDIT HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce to run the payload when Windows starts up.

Remcos gives the attacker complete remote control over the machine once it has been infiltrated, including recording keystrokes and capturing screenshots. It can steal data from a compromised device and send it to the attacker's servers.

This backdoor collects and sends the following data to its servers:

  • Information from computers (OS version, computer name, system type, product name, primary adapter)
  • Information about the user (user access, user profile, user name, user domain)
  • Information about the processor (processor revision number, processor level, processor identifier, processor architecture)
Cyber Security Services
End-to-End Proactive Solutions for empowering Advanced Threat Protection and Intelligence with Real-Time Analytics, Cyber Security Services

How does Remcos RAT Virus work?

Anti-virus software is bypassed The anti-virus solutions built for scanning and detecting these types of viruses do not catch Remcos
Persistence On the targeted machine, it maintains persistence and can be present for a longer period of time.
Task Process By injecting into a Windows process, it runs as a good process, which helps it to evade Windows proprietary security solutions.
Admin Privileges Remcos disables User account control (UAC), and admin capabilities are granted.

What can Remcos RAT do?

Information Theft It is capable of stealing information from infected systems. When it is present in the system, important information can be used to make the system more vulnerable to further attacks.
Background process Many commands can be run behind the scenes that are unknown to the user. These commands can do heavy damage to the system.
Backdoor Opening Remcos opens the backdoor in infected systems. Backdoor capabilities that can execute malicious commands that compromise system security. A backdoor is a way to keep access persisted for a longer period of time.
Violation of Policy   User privacy is violated with Remco. It collects user credentials, records keystrokes, and steals user data.

Remediation Advice for Remcos RAT Malware

Security Configurations  All devices should have secure configurations applied to them.
Security Updates: Security updates should be deployed as soon as possible. These could save a lot of attacks and viruses.
Discontinue unsupported platforms  Platforms that are no longer in use are isolated from the rest of the network. Any platform which is not receiving regular updates should be discontinued.
Regular Training  Regular training reinforces IT usage norms, ensuring that all users understand not to click unsolicited links or attachments. With no regular training, it is very difficult to stop attacks and viruses on a human level.


With a weapon like Remcos Rat, one does not require to be an expert to launch sophisticated malware attacks. In the coming years, more applications by Remco will be released, luring more attackers. Metasecure keep track of such attacks and ensures complete coverage for our clients.

Click here to explore more critical Viruses and their Remediations