{
	"id": "a17f3b9d-874c-4ac6-878d-d88fd440d446",
	"created_at": "2026-04-06T01:31:17.643183Z",
	"updated_at": "2026-04-10T03:30:57.046083Z",
	"deleted_at": null,
	"sha1_hash": "6c53bbf0ca6bc3798b69d4fe7afbb3f5fea5cb2d",
	"title": "REMCOS: A New RAT In The Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6133540,
	"plain_text": "REMCOS: A New RAT In The Wild\r\nBy Floser Bacurio and Joie Salvio\r\nPublished: 2017-02-14 · Archived: 2026-04-06 00:44:28 UTC\r\nRemcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in\r\nthe second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its\r\npayload being distributed in the wild for the first time.\r\nThis article demonstrates how this commercialized RAT is being used in an attack, and what its latest version\r\n(v1.7.3) is capable of doing. Remcos is currently being sold from $58 to $389, depending on the license period\r\nand the maximum number of masters or clients needed.\r\nMacro Executes Malware with High System Privilege\r\nWe discovered that the Remcos RAT is being distributed through malicious Microsoft Office documents going by\r\nthe filenames of Quotation.xls or Quotation.doc, which are most probably attached to SPAM emails. The structure\r\nand behavior of these documents are very similar to the ones that we documented in our previous article, which\r\ndetails a malicious document macro designed to bypass Microsoft Windows’ UAC security and execute malware\r\nwith high privilege.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 1 of 11\n\nFigure 1: Malicious MS Office documents\r\nThe affected documents contain an obfuscated macro that executes a shell command that downloads and runs the\r\nmalware. Its obfuscation is simply achieved by adding garbage characters to the actual string.\r\nTo execute the downloaded malware with high system privilege, it utilizes an already known UAC-bypass\r\ntechnique. It attempts to execute it under Microsoft’s Event Viewer (eventvwr.exe) by hijacking a registry\r\n(HKCU\\Software\\Classes\\mscfile\\shell\\open\\command ) that it queries to find the path of the Microsoft\r\nManagement Console (mmc.exe).  The Event Viewer simply executes whatever is in that path. Since the macro’s\r\nshell command replaces the value from that registry entry to the malware’s location, the malware is executed\r\ninstead of the legitimate mmc.exe.\r\nFigure 2: Execution of the malware from macro\r\nIn figure 2 we can see that when the command shell executed the downloaded malware, the integrity level was\r\nunexpectedly only set to “Medium.” At this point, the UAC bypass should have worked and the malware should\r\nhave been executed with “High” integrity. So we took a closer look at the shell command and found erroneous\r\nslashes (“\\”) in the registry path that caused the unsuccessful replacement of the registry value data. It was first\r\nthought that the technique worked, since the malware was executed with a “High” integrity level in the end.\r\nHowever, it was not executed under the Event Viewer. Since that attempt did not work, and yet the malware was\r\nstill executed with “High” integrity level, we suspected that the malware binary itself has its own UAC-bypass\r\ntechnique, which was proven to be the case, as we demonstrate in the later part of this article.\r\nMulti-packed Payload Binary\r\nRemcos only includes UPX and MPRESS1 packers to compress and obfuscate its server component. In this\r\nsample, however, the attacker went further by adding another layer of custom packer on top of MPRESS1.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 2 of 11\n\nFigure 3: Hex dumps of the packed and unpacked server component\r\nObfuscation of the malware practically ended after the two packers. As seen in the screenshots below, the strings\r\nfrom the unpacked binary reveals that it’s the server component built from the latest Remcos v1.7.3 Pro.\r\nAccording to their website, Breaking-Security[.]Net, this version was just released in Jan. 23, 2017.\r\nFigure 4: Un-obfuscated strings identifying the Remcos server component\r\nNumerous commands that the server can carry out can also be seen in plain text.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 3 of 11\n\nFigure 5: Snippet of some commands\r\nFiguring out all the commands through code analysis is tedious work. Fortunately, their website allows anyone to\r\ndownload a stripped down version of the Remcos client for free.\r\nRemcos v.1.7.3 and its Capabilities\r\nThe Remcos Client has five main tabs with different specific functions. Although most of the parameters are\r\ndisabled in the free version, we were able to simulate its client-server connection.\r\nThe Connections Tab is where all the active connections can be monitored. Each entry contains some basic\r\ninformation about the installed server component and the infected system. This is also the main tab for sending\r\ncommands to the infected system. The image below shows the list of commands that can be executed in the\r\ninfected system. It illustrates how much control the attacker can gain over an infected system. Most of them are\r\nfairly common with RAT applications, and as usual some of the commands may lean more towards intrusive\r\nspying than consented monitoring.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 4 of 11\n\nFigure 6: REMCOS command list\r\nAutomatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other\r\nRATs. This feature configures the server component to automatically execute functions without any manual action\r\nfrom the client once a connection has been established. This makes it easy and convenient to create an infiltrate-exfiltrate-exit scheme without any trigger from the attacker, which is just how a common spyware or malware\r\ndownloader behaves.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 5 of 11\n\nFigure 7: Automatic Tasks tab\r\nThe Local Settings tab consists of settings for the client side. Ports where the client machine waits for a\r\nconnection from its servers are set here, together with the passwords to be used. Since Remcos uses the password\r\nfor encryption, the listening port and the connecting server should have the same passwords for a successful\r\nconnection. So basically, the password is used for both authentication and network traffic encryption.\r\nFigure 8: Local Settings tab\r\nRemcos uses a simple RC4 algorithm, using the password as the key to encrypt and decrypt network traffic\r\nbetween its client and server.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 6 of 11\n\nFigure 9: Uses RC4 algorithm to encrypt network traffic\r\nThe Builder tab is where the parameters of the created server binary can be customized. It can be divided into\r\nseveral sub-sections, as shown in the image below.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 7 of 11\n\nFigure 10: Builder tab sub-sections\r\nConnection – sets the client IP addresses and ports where the server connects to upon installation. It also allows a\r\npassword to be set for authentication and encryption.\r\nInstallation – configures the installation path, autorun registries, and a watchdog module that prevents termination\r\nof the process and deletion of its files and registries. Also included in this section is the setting for having its own\r\nUAC bypass, which we suspected to exist earlier in our article.\r\nSo, it is possible that the attacker only used the document macro as a template to download and execute the binary,\r\nand never intended to use the script’s UAC bypass since the server binary itself already has the same function. In\r\nfact, it uses the same UAC bypass technique, but this time with an added routine to revert the modified registry\r\nafter gaining privilege. This is logical, because not restoring the registry can produce system errors that can cause\r\nsuspicion from the user every time a .msc file needs to be opened.\r\nStealth – this section dictates whether the server should appear on the system’s tray icon. It also includes the\r\nsettings for some basic anti-analysis/anti-sandbox routines and an option to hide the process through injection.\r\nKeylogger – this includes the usual parameters for a basic keylogger function. Interestingly enough, though, it can\r\nalso provide the server component with a function to remove browser cookies and stored passwords. The hope is\r\nthat that the user will have to re-type their passwords when logging in to websites and they can be captured using\r\nthe keylogger.\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 8 of 11\n\nSurveillance – gives the server an option to take periodic screenshots of the system or when specific windows are\r\nactive. It also features audio capture, which can be saved locally for later retrieval.\r\nBuild – gives the option to pack the server binary using UPX and MPRESS.\r\nThe Event Log displays connection logs with the server, along with some information regarding the client’s status\r\n(updates, ports, etc.).\r\nFigure 11: Event Logs tab\r\nThe About tab contains acknowledgements and some promotions on other products that have been developed by\r\nan author named Viotto.\r\nFigure 12: About tab\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 9 of 11\n\nConclusion\r\nThis article proves once again that one does not have to be an expert to launch fairly sophisticated malware\r\nattacks. More and more applications like Remcos are being released publicly, luring new perpetrators with their\r\neasy usage. And all it takes to be infected by one are a few clicks.\r\nAs for many RAT authors, the developer discourages malicious usage of the tool through a license ban if reported.\r\nThis in most cases is nothing but a false shield to guard them liability when the thin veil of its being an\r\nadministration tool is removed and it is exposed as a full-blown malware builder.\r\n-= FortiGuard Lion Team =-\r\nSamples (SHA256)\r\nfc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a - W32/Remcos.A!tr\r\n 8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81 - W32/Remcos.A!tr\r\n 8e6daf75060115895cbbfb228936a95d8fb70844db0f57fe4709007a11f4a6bb - WM/Agent.9BF1!tr.dldr\r\n a58a64fce0467acbcaf7568988afc6d2362e81f67fc0befd031d3a6f3a8a4e30 - WM/Agent.9BF1!tr.dldr\r\nIOC\r\nDownload URL:\r\nlegacyrealestateadvisors[.]net/brats/remmy.exe\r\nC\u0026C:\r\nremcos2.legacyrealestateadvisors[.]net\r\nremcos.legacyrealestateadvisors[.]net\r\nAdded Files (paths can be changed in the builder):\r\n%temp%\\remmy.exe – copy of server\r\n%ProgramFiles%\\AudioHD\\Drivers.dat – keylog data\r\n%ProgramFiles%\\AudioHD\\AudioHD.exe or %ProgramFiles%\\SvchostHD\\svchost.exe – copy of server\r\nAdded Registries:\r\nKey: HKCU \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue Name: SvchostHD\r\nData: %ProgramFiles%\\SvchostHD\\svchost.exe\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 10 of 11\n\nOr\r\nKey: HKCU \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue Name: AudioHD\r\nData: %ProgramFiles%\\ AudioHD\\AudioHD.exe\r\nKey: HKCU \\Software\\-\r\nValue Name: EXEpath\r\nSource: https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nhttps://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
	],
	"report_names": [
		"remcos-a-new-rat-in-the-wild-2.html"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439077,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c53bbf0ca6bc3798b69d4fe7afbb3f5fea5cb2d.pdf",
		"text": "https://archive.orkl.eu/6c53bbf0ca6bc3798b69d4fe7afbb3f5fea5cb2d.txt",
		"img": "https://archive.orkl.eu/6c53bbf0ca6bc3798b69d4fe7afbb3f5fea5cb2d.jpg"
	}
}