What is Remcos?
Remcos is a RAT (Remote Administration Tool) or a Trojan that was first discovered being sold throughout various hacker forums in early 2016. The Remcos RAT is often used to attack targets and drop payloads of malware onto the machine it infects. The Remcos RAT is typically distributed inside spam email messages. The email messages contain malicious Microsoft Office document attachments that incorporate the malware.
Remcos malware utilizes a malicious document macro that is developed to bypass Microsoft Windows’ UAC security and execute malware with high privilege. The documents contain a macro that executes a shell command that is used to essentially download and run malware.
Remcos utilizes a UAC-bypass technique under Microsoft’s Event Viewer (eventvwr.exe) by hijacking the HKCU\Software\Classes\mscfile\shell\open\command registry. Because of this, the macro’s shell command replaces the value from the registry entry to the malware’s location This allows the the malware to be executed opposed to Microsoft’s mmc.exe.
Remcos allows for several different things to happen to a victim’s machine. It allows remote access by establishing a connection to the client IP and ports where the server connects. Remote access opens a lot of windows and security threats to the machine. It can drop malware onto the infected machine such as ransomware. It also has a basic keylogger function to obstruct stored passwords in hopes that the user will re-type their passwords in order to capture them.
Remcos RAT campaigns typically drop ransomware variants onto the machine or use the keylogger function to obtain passwords.
Remcos is sold on the internet for around $50 – $400. The tool is marketed as a legitimate tool and can be used as one. However, the tool is widely known to be used maliciously and if you find Remcos on your computer without your consent it is the sign of an attack that should be dealt with immediately.
A sign that Remcos is running on your machine is if Windows displays a Command Prompt that says Remcos 1.7 Pro (or other) and contains various commands such as [INFO] Initializing connection to C&C… and [KeepAlive] Enabled!.
Remcos removal steps
The Remcos RAT (Trojan) removal steps on this page explain how to remove Remcos malware and other threats from your computer.
Step 1: Remove malware with Malwarebytes Anti-malware
Step 2: Check your computer for malicious trace files with HitmanPro
Step 3: Clean up and fix system issues with CCleaner
1. Remove malware with Malwarebytes Anti-Malware
- Open your browser window and download Malwarebytes 3.0 Premium or Malwarebytes Anti-Malware Free.
- Open the executable file (mb3-setup.exe or other) to begin installing Malwarebytes.
- Select your language, click Next, then select “I accept the agreement,” click the Next button several times, and then click the Install button to install Malwarebytes. Click Finish once the install process is complete.
- Open Malwarebytes and click the Scan Now button on the Dashboard to begin scanning your computer.
Click the Quarantine Selected button once the scan is finished.
- If Malwarebytes says “All selected items have been removed successfully. A log file has been saved to the logs folder. Your computer needs to be restarted to complete the removal process. Would you like to restart now?” click the Yes button to restart your computer.
2. Check your computer for malicious trace files with HitmanPro
- Open your browser window and download HitmanPro.
- Open the executable file (hitmanpro_x64.exe or hitmanpro_x32.exe) to begin installing HitmanPro.
- Click the Next button, check “I accept the terms of the license agreement,” and click the Next button again.
- On the Setup page select “Yes, create a copy of HitmanPro so I can regularly scan this computer (recommended)” and add your email address to the registration fields to begin the free trial.
- Click Next to begin scanning your computer.
- Once the Scan results are displayed click the Next button and click the Next button again on the Removal results page.
3. Clean up and fix system issues with CCleaner
- Open your browser window and download CCleaner Professional or CCleaner Free.
- Open the executable file (ccsetup.exe or other) to begin installing CCleaner.
- Click the Install button to begin stalling the program.
- Click Run CCleaner to open the program when installation is complete.
- Select the Cleaner tab and click the Analyze button.
- When the Analyze process is complete click the Run Cleaner button to clean all files.
- Next, select the Registry tab and click the Scan for Issues button to scan for issues in your registry.
- When the scan is complete click the Fix selected Issues button and Fix All Selected Issues button to fix the issues.
- Next, select the Tools tab and click Startup. Examine each area, search for suspicious entries, and delete any suspicious startup entries by selecting the entry and clicking the Delete button.
- Next, click Browser Plugins and search each internet browser for unwanted browser add-ons and extensions. Click the extension you want to delete and click the Delete button to remove it.