Remcos RAT Malware being Distributed as Spam Mail

Remcos is a RAT (Remote Access Trojan) malware that has been distributed through spam mail for the past few years. Remcos is being sold by its developer using the website below, describing it as a RAT tool for remote management, it has been updated regularly until recent days.

According to the features described on the Remcos website, it can be used for remote assistance or deleting and tracking sensitive data in case of theft, and the said features are actually available for use.

However, it also offers various features that can be used for malicious purposes, such as keylogging, screenshot capture, control of webcam and microphone, and the extraction of browser history and passwords existing in the installed system. Additionally, it offers injection and has an option to disguise as a normal program and run in the background so that the user cannot notice it. Its UIs are also similar to other common RAT-type malware that controls various infection bots.

The developer of Remcos advertises the normal features it has and prohibits the users from using it for malicious purposes, but Remcos has numerous features that are mainly used for malicious behaviors. Furthermore, Remcos is constantly being used by attackers as actual malware.

Distribution Method

As of now, most of the found Remcos RAT are being distributed in a format of a spam mail as shown in the figure below.

The first mail has a direct attachment file format. When the Amazon Detail.img file is extracted, Remcos RAT in a .exe format is found. The second mail has an attachment of an excel file that has a malicious macro included. Upon running the excel file to activate the macro, it downloads the Remcos RAT externally, and executes the file.

The spam mail shown above are all English, therefore it is difficult to say that it targeted Korean users, but the received files shown below feature Korean names, implying that Korean users are also the targets.

Purchase Order(lkp-2010-024)\po.exe)
Purchase Order(lkp-2020-027)(lkp-2020-027).exe)
List of Requested Data(lkp-2020-027).exe)
Estimate – ACE international 2.exe)
Attachment.exe)
20co08301 – Attachment.exe)
purchase order list.exe
DHL-Shipping_Documents0010201.exe
KONTEC QUOTE B1018530.exe
Payment.exe
PDF_Tosoh-Inquiry.exe
PI20200206APO#4567811,zip.exe
PO 456123489.exe
Quotation 52908.exe
SHIPPING-DOCUMENTS-DOC0012HD83-001HDU37.exe
Ton-Keep Co- Purchase Order.exe

Not that these names are similar to other malware that are being distributed via spam mail, such as AgentTesla, Formbook, AveMaria, etc. Furthermore, the fact that the recently found files were distributed after packed in the .net format to bypass detection follows the case of the malware mentioned above.

Version of Distributed Files

The Remcos RAT developer has been constantly updating its features, and the latest version is v2.7.2, released on October 22, 2020. The following are the release dates for each version:

v2.5.0 – September 20, 2019.
v2.5.1 – June 5, 2020.
v2.6.0 – July 10, 2020.
v2.7.0 – August 10, 2020.
v2.7.1 – September 14, 2020.
v2.7.2 – October 22, 2020.

Just like other malware, Remcos RAT is distributed after packing to bypass detection, and when the actual binary existing within is extracted, the original Remcos RAT is found. As the extracted original binary has the hard-coded version info, we can identify which version builder was used to create the tool..

The ASEC analysis team has extracted the version info from the Remcos RAT malware confirmed in the second half of this year, and the results are as follow:.

Table 1 – Changes in versions of collected Remcos malware

According to the collected Remcos versions, the version info is updated following the release. From these results, we can assumed that the attacker or attackers use the official Remcos RAT version and build up from there, maintaining the latest version every update.

Note that there is a Light version of Remcos, but all attackers use Pro version as all malicious features are deactivated, and running in background to avoid user’s eyes is not available in the Light version.

Also, there’s a steady usage of the 1.7 Pro version, which is due to the fact that there is a crack for this Remcos RAT.Because there is a crack for Remcos RAT 1.7 Pro available, this version is constantly being used by several attackers. This suggests that both the latest version and the crack version from the past are being used for attacks. The 1.7 version is an outdated version that was released on January 5, 2017, but as it is a Pro version that has various malicious features, it can perform multiple malicious features, albeit not as much as the latest version.

The Remcos RAT malware is distributed via spam mail, therefore when there’s a suspicious-looking email in the inbox, users must refrain from opening the attachment files within the email. Also, V3 should be updated to the latest version so that malware infection can be prevented.

[File Detection]
Trojan/Win32.Remcos.C4227198 (2020.11.18.05)
Malware/Win32.RL_Generic.C4222056
Trojan/Win32.Inject.R355833

[Behavior Detection]
Malware/MDP.Behavior.M3108

[IOC]
– Remcos MD5 included in Amazon Detail.img: dd03120a4bde595c81ab1e2310807ec8
– Remcos C&C: u875414.nvpn[.]to:2404, u875414.nsupdate[.]info:2404

– Excel MD5 included in estimate inquiry spam mails: 303dca398f49ea51434b4be7c84b854f
– Remcos download address: hxxp://192.210.214[.]146/major.exe