Remcos | Malware Trends Tracker

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Used to lure victims via malicious attachments in spam email campaigns. ‘Remcos RAT usually gets into victims’ machines through malicious attachments in spam email campaigns.’
• [T1203] Exploitation for Client Execution – The malware ‘pretends to be a Microsoft Word file that exploits vulnerabilities to download and execute the main payload.’
• [T1036] Masquerading – Spread as an executable file with a convincing name or as a Microsoft Word file to trick users. ‘spread as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file.’
• [T1059.005] Command and Scripting Interpreter: Visual Basic – Infection involves VBS script execution. ‘it started VBS script execution. Script ran command line…’
• [T1105] Ingress Tool Transfer – Payload is downloaded from a control server. ‘download the main payload, which is Remcos itself, from a control server.’
• [T1027] Obfuscated/Compressed Files and Information – The malware uses a crypto component to stay hidden from antivirus software. ‘a crypto program that enables the malware to stay hidden from antivirus software.’
• [T1112] Modify Registry – Persistence via registry changes (autorun). ‘changing the autorun value in the registry.’
• [T1056.001] Keyboard Input Capture: Keylogging – The malware includes a keylogger to record keystrokes. ‘a keylogger that can be used to remotely record keystrokes of the victim.’
• [T1113] Screen Capture – Data collection via screenshots. ‘capture screenshots.’
• [T1071.001] Web Protocols – C2 communications over web protocols. ‘connecting to the C2 server.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Registry-based persistence (autorun). ‘autorun value in the registry.’