Remcos Malware

Remcos is a remote access trojan (RAT) and one of the top ten malware variants of 2021. After infecting a computer, Remcos provides an attacker with backdoor access to the infected system and collects a variety of sensitive information.

Read the Security Report Request a Demo

How Does It Work?

Remcos is commonly deployed via a phishing attack. The malware may be embedded in a malicious ZIP file masquerading as a PDF that claims to contain an invoice or order. Alternatively, the malware has also been deployed using Microsoft Office documents and malicious macros that unpack and deploy the malware.

To evade detection, Remcos uses process injection or process hollowing, which enables it to run inside a legitimate process. The malware also deploys persistence mechanisms and runs in the background to hide from users.

As a RAT, command and control (C2) is a core capability of Remcos malware. The malicious traffic is encrypted en route to the C2 server, and the attacker uses Distributed DNS to create a variety of domains for C2 servers. This makes it possible for the malware to defeat protections that rely on filtering traffic to known malicious domains.

Remcos Malware Capabilities

The Remcos malware is actually a legitimate tool sold by a German Company named Breaking Security under the name Remote Control and Surveillance and is commonly abused by hackers. Some of the key capabilities of the malware include:

  • Privilege Elevation: Remcos can gain Administrator permissions on an infected system and disable User Account Control (UAC). This makes it easier for the attacker to execute malicious functionality.
  • Defense Evasion: Remcos uses process injection to embed itself within legitimate processes, making it more difficult for antivirus to detect. Additionally, the malware can run in the background to hide itself from users.
  • Data Collection: One of the core capabilities of the Remcos malware is to collect information about the user of a computer. It can log keystrokes, capture screenshots, audio, and clipboard contents, and collect passwords from the infected system.

Impact of a Remcos Infection

Remcos is a sophisticated RAT, which means that it grants the attacker full control over the infected computer and can be used in a variety of attacks. Some of the common impacts of a Remcos infection include:

  • Account Takeover: Some of the core capabilities of Remcos are to collect passwords and keystrokes from infected computers. By stealing user credentials, an attacker can gain control over online accounts and other systems, enabling them to steal sensitive data or expand their foothold within an organization’s IT environment.
  • Data Theft: Remcos steals keystrokes and credentials but can also collect and exfiltrate other sensitive data from an organization’s systems. As a result, Remcos can be used to perform a data breach either on the initially infected computer or other systems accessed via compromised credentials.
  • Follow-On Infections: Remcos makes it possible for an attacker to deploy additional malware variants on an infected computer. This means that a Remcos infection could lead to a ransomware infection or other follow-on attack on an organization.

How to Protect Against Remcos Malware

While Remcos is a leading malware variant, organizations can protect themselves against infection by implementing security best practices. Some ways to prevent a Remcos infection include:

  • Email Scanning: Remcos is primarily distributed via C. Email scanning solutions that identify and block suspicious emails can prevent the malware from reaching users’ inboxes.
  • Content Disarm and Reconstruction (CDR): The Remcos malware is commonly embedded in document files, such as Microsoft Office files. CDR can disassemble documents, excise malicious content, and rebuild the sanitized document to be sent on to the intended recipient.
  • Domain Analysis: Remcos uses DDNS to create numerous domains to evade domain-based blocking of malicious sites. Analysis of the domain records requested by various endpoints can help to identify young and suspicious domain names that might be associated with the malware.
  • Network Traffic Analysis: Some Remcos variants directly encrypt their network traffic using AES-128 or RC4 rather than standard protocols such as SSL/TLS. Network traffic analysis can identify these unusual traffic streams and mark them for further analysis.
  • Endpoint Security: Remcos is a well-known malware variant with established indicators of compromise. Despite its defense evasion techniques, endpoint security solutions can identify and remediate it on a system.

Remcos Malware Protection with Check Point

Remcos is a sophisticated RAT and one of the leading malware threats, yet companies also face numerous malware variants and other cyber threats. Learn about the leading cybersecurity threats in Check Point’s 2022 Cyber Threat Report.

Check Point solutions protect against Remcos and other malware infections, including zero-day threat protection by Check Point Threat Emulation. Check Point Harmony Endpoint leverages industry-leading endpoint security protections to mitigate the threat of Remcos and other leading malware threats. Learn more by signing up for a free demo today.


This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.