Remcos is a remote access trojan (RAT) with a wide range of malicious functionality, such as closely monitoring user activities by recording audio and video content, capturing credentials, stealing digital currency, downloading additional payloads, and retrieving confidential data
Remcos is an extensive and powerful Remote Control tool, which can be used to fully administrate one or many computers, remotely
Examining the main payload, Remcos RAT … Originally marketed as a remote access tool that legitimately lets a user control a system remotely,
Over the past months, Malwarebytes researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malicious documents or archive files containing scripts or executables. Like other RATs, Remcos gives the threat actor full control over the infected system and allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. Unlike most RATs used by malicious actors however, Remcos is marketed as an administrative tool by the company Breaking Security which sells it openly on their website
I give you the Tool and Tutorial its Totaly Free Complete Read This Artical And Follow The step masterscyber
Remcos is a fully-functioning RAT that gives the threat actor full control over the infected system and allows them to collect keystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos is also able to download and execute additional software onto the system. This Remcos distribution utilizes a series of scripts that ultimately results in the injection of a Remcos payload into the Windows system binary aspnet_compiler.exe. A sample infection chain for this variant is shown below:
The affected documents contain an obfuscated macro that executes a shell command that downloads and runs the malware. Its obfuscation is simply achieved by adding garbage characters to the actual string.
To execute the downloaded malware with high system privilege, it utilizes an already known UAC-bypass technique. It attempts to execute it under Microsoft’s Event Viewer (eventvwr.exe) by hijacking a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it queries to find the path of the Microsoft Management Console (mmc.exe). The Event Viewer simply executes whatever is in that path. Since the macro’s shell command replaces the value from that registry entry to the malware’s location, the malware is executed instead of the legitimate mmc.exe.
In figure 2 we can see that when the command shell executed the downloaded malware, the integrity level was unexpectedly only set to “Medium.” At this point, the UAC bypass should have worked and the malware should have been executed with “High” integrity. So we took a closer look at the shell command and found erroneous slashes (“\”) in the registry path that caused the unsuccessful replacement of the registry value data. It was first thought that the technique worked, since the malware was executed with a “High” integrity level in the end. However, it was not executed under the Event Viewer. Since that attempt did not work, and yet the malware was still executed with “High” integrity level, we suspected that the malware binary itself has its own UAC-bypass technique, which was proven to be the case, as we demonstrate in the later part of this article.
Multi-packed Payload Binary
Remcos only includes UPX and MPRESS1 packers to compress and obfuscate its server component. In this sample, however, the attacker went further by adding another layer of custom packer on top of MPRESS
Obfuscation of the malware practically ended after the two packers. As seen in the screenshots below, the strings from the unpacked binary reveals that it’s the server component built from the latest Remcos v1.7.3 Pro. According to their website, Breaking-Security[.]Net, this version was just released
Remcos v.1.7.3 and its Capabilities
The Remcos Client has five main tabs with different specific functions. Although most of the parameters are disabled in the free version, we were able to simulate its client-server connection.
The Connections Tab is where all the active connections can be monitored. Each entry contains some basic information about the installed server component and the infected system. This is also the main tab for sending commands to the infected system. The image below shows the list of commands that can be executed in the infected system. It illustrates how much control the attacker can gain over an infected system. Most of them are fairly common with RAT applications, and as usual some of the commands may lean more towards intrusive spying than consented monitoring.
Automatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other RATs. This feature configures the server component to automatically execute functions without any manual action from the client once a connection has been established. This makes it easy and convenient to create an infiltrate-exfiltrate-exit scheme without any trigger from the attacker, which is just how a common spyware or malware downloader behaves.
The Local Settings tab consists of settings for the client side. Ports where the client machine waits for a connection from its servers are set here, together with the passwords to be used. Since Remcos uses the password for encryption, the listening port and the connecting server should have the same passwords for a successful connection. So basically, the password is used for both authentication and network traffic encryption.
Remcos uses a simple RC4 algorithm, using the password as the key to encrypt and decrypt network traffic between its client and server.
Installation – configures the installation path, autorun registries, and a watchdog module that prevents termination of the process and deletion of its files and registries. Also included in this section is the setting for having its own UAC bypass, which we suspected to exist earlier in our article.
So, it is possible that the attacker only used the document macro as a template to download and execute the binary, and never intended to use the script’s UAC bypass since the server binary itself already has the same function. In fact, it uses the same UAC bypass technique, but this time with an added routine to revert the modified registry after gaining privilege. This is logical, because not restoring the registry can produce system errors that can cause suspicion from the user every time a .msc file needs to be opened.
Stealth – this section dictates whether the server should appear on the system’s tray icon. It also includes the settings for some basic anti-analysis/anti-sandbox routines and an option to hide the process through injection.
Keylogger – this includes the usual parameters for a basic keylogger function. Interestingly enough, though, it can also provide the server component with a function to remove browser cookies and stored passwords. The hope is that that the user will have to re-type their passwords when logging in to websites and they can be captured using the keylogger.
Surveillance – gives the server an option to take periodic screenshots of the system or when specific windows are active. It also features audio capture, which can be saved locally for later retrieval.
Build – gives the option to pack the server binary using UPX and MPRESS.
The Event Log displays connection logs with the server, along with some information regarding the client’s status (updates, ports, etc.).
Download Free Remcos Rat Full Version
Zip Password : www.masterscyber.com
This article proves once again that one does not have to be an expert to launch fairly sophisticated malware attacks. More and more applications like Remcos are being released publicly, luring new perpetrators with their easy usage. And all it takes to be infected by one are a few clicks.
As for many RAT authors, the developer discourages malicious usage of the tool through a license ban if reported. This in most cases is nothing but a false shield to guard them liability when the thin veil of its being an administration tool is removed and it is exposed as a full-blown malware builder.