A new and improved Remote Administration Tool (RAT) is now seeing action, researchers said.
Remcos is a RAT that went up for sale during the second half of last year and is available starting at $58 and rising to $389, depending on the selected license period and number of “masters” or clients.
Available as version 1.7.3 at the moment, the malware is distributed via malicious Office documents named Quotation.xls or Quotation.doc, supposedly delivered via email.
The malicious documents include obfuscated macros designed to call shell commands to bypass User Account Control (UAC) and execute the malware with elevated privileges, researchers said. Abusing Event Viewer (eventvwr.exe) for privilege escalation, the UAC-bypass technique has been adopted by various threats recently, including ransomware.
The Remcos RAT includes only UPX and MPRESS1 packers to compress and obfuscate its server component, but the analyzed sample revealed an extra custom packer on top of MPRESS1, but no other obfuscation beyond this. The server component was built from the latest Remcos v1.7.3 Pro variant, which released Jan. 23 the developer’s website shows.
The code also revealed the commands the server can carry out, all of which are also included in the free, stripped down client version available through the developer’s website. The Remcos Client features five main tabs, each with specific functions, namely Connections, Automatic Tasks, Local Settings, Builder, and Event Log.
Through the Connections tab, one can monitor all active connections and can view basic information on the installed server component and the infected system for each of them, Fortinet researchers said in a post. This tab allows the sending of commands to the infected system, allowing an actor to take screenshots of the targeted machine, search for files, view running processes, execute commands, log keystrokes, steal passwords, access the webcam and microphone, download and execute code, and more.
While most of the commands are common to RATs, the Automatic Tasks tab in Remcos is a feature new to applications in this category. Through it, the server component can be configured to automatically execute functions without any manual action from the client once a connection has been established. Through this feature, an actor can easily create an infiltrate-exfiltrate-exit scheme that doesn’t require manual triggers, something usually seen in spyware or malware downloaders, the security researchers said.