Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Remcos Malware Information

    • Updated:
    • 31 Jul 2019
    • Product/Version:
    • Apex One 2019.All
    • Deep Discovery Email Inspector 3.5
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • InterScan Messaging Security Suite 9.1 Linux
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan XG.All
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Standard/Advanced 10.0
    • Platform:
    • N/A N/A
Summary

Remcos or Remote Control and Surveillance, marketed as a legitimate software by a Germany-based firm Breaking Security for remotely managing Windows systems is now widely used in multiple malicious campaigns by threat actors. Remcos is a sophisticated remote access Trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards.

The current campaign utilizes social engineering technique in which fake emails that appeared to be from legitimate companies were sent by the attackers. The emails contain invoices or urgent order attachments which were actually Remcos archives attempting to connect with the attacker’s command and control (C&C) server. The attachment is an archive with an executable disguised as a PDF or other document file.

This Backdoor gathers the following information and sends it to its servers:

  • Computer Information (OS version, computer name, system type, product name, primary adapter)
  • User information (user access, user profile, user name, user domain)
  • Processor information (processor revision number, processor level, processor identifier, processor architecture)

Behaviors

  • Bypasses anti-virus products
  • Maintains persistence on the targeted machine
  • Runs as legitimate process by injecting to Windows process
  • Gains admin privileges and disables user account control (UAC)

Capabilities

  • Information Theft
  • Backdoor commands
  • Exploits

Impact

  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Violation of user privacy - gathers user credentials, logs keystroke and steals user information

Infection Routine

infection routine

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
Backdoor.Win32.REMCOS.SM.hpENT OPR 15.196.04June 25, 2019
Backdoor.Win32.REMCOS.USMANEAGBE
Backdoor.MSIL.REMCOS.AND
Trojan.Win32.REMCOS.ANE
Trojan.W97M.REMCOS.AMS

Predictive Machine Learning

DetectionPattern Branch/Version
TROJ.Win32.TRX.XXPE50FFF031In-the-cloud

Web Reputation

Detection/Policy/RulesPattern Branch/Version
URL ProtectionIn-the-cloud

Anti Spam

Pattern Branch/VersionRelease Date
AS Pattern 4718June 26, 2019
Details
Public

Solution Map - What should customers do?

Trend Micro SolutionMajor ProductLatest VersionVirus PatternAnti-Spam PatternNetwork PatternPredictive Machine LearningWeb Reputation





Endpoint Security
ApexOne2019



Update pattern via web console



Not Applicable
Update pattern via web console



Enable Predictive Machine Learning




Enable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)


Not Applicable

Worry-Free Business Security
Standard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console





Email and Gateway Security
Deep Discovery Email Inspector3.5




Update pattern via web console





Update pattern via web console
Update pattern via web console




Not Applicable




Enable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1


Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14.0
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendations

Threat Report

Blogs

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1123281
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.