Also known as: Remcos RAT
Category: Malware
Type: Remote administration tool, remote access trojan (RAT)
Platform: Windows
Variants: RemcosRAT Pro, RemcosRAT Cracked, RemcosRAT Lite
Damage potential: Account takeover, disabling user account control (UAC), introducing backdoor vulnerabilities, data theft, keylogging, secret recording
Overview
Remcos is a remote administration tool developed by Breaking Security, an IT company based in Germany. While sold as legitimate software, Remcos can be used by hackers as part of a malware suite to infiltrate devices. As a remote access tool, Remcos lets attackers open backdoors in the victim’s device and eventually gain full access to the system.
Possible symptoms
Remcos malware commonly uses techniques like process hollowing and process injection to evade detection while operating, but it can leave traces in the operating system's registry. Your device is likely infected if the “Registry changes” tab has a key with “Remcos” in its name, such as “HKEY_CURRENT_USER\Software\Remcos-{digits_letters}”.
Other indicators of a Remcos infection include:
- Your device frequently freezes or stutters.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Application windows pop open without any input on your part.
Sources of the infection
Remcos malware is usually delivered via infected Microsoft Office documents attached to phishing emails. When opened, the file is coded to hijack the Windows Registry in order to bypass user account control and install Remcos malware. Remcos malware then adds an autostart key to the registry to run the malware again if the system is restarted.
Your device may also get infected with Remcos malware from:
- ZIP archives that are disguised as PDF documents (for example, invoices) attached to phishing emails.
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
Protection
The most effective protection against Remcos malware is forming good email habits. Since it spreads primarily through infected email attachments, recognizing signs of phishing and avoiding suspicious files goes a long way to keep you safe.
Other protective measures include:
- Use email scanning tools to identify and automatically block messages with suspicious attachments.
- Use content disarm and reconstruction (CDR) tools. CDR tools can disassemble infected documents, remove the malicious code, glue the file back together, and send the clean version to the intended recipient.
- Avoid potentially dangerous websites, like dark web pages or torrent repositories. These websites may attempt to install malware (including Remcos malware) on your device as soon as you open them.
- Use NordVPN’s Threat Protection Pro™ to scan programs and files for malware while they’re being downloaded. Along with the malware blocker, the feature also includes tools such as scam and fraud alert, which warns you when entering a known infected website, preventing drive-by download attacks.
Removal
After discovering a Remcos infection, remove the malware using antivirus software and clean up the Windows Registry to prevent recursion.