Tracking An Active Remcos Malware Campaign

Weekly Threat Intelligence Report

Date: June 3, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

HYAS Threat Intelligence is currently tracking an active Remcos remote access trojan campaign that began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both of these domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.

Using telemetry within HYAS Insight threat intelligence platform we have been able to locate the global position of the threat actor within minutes of establishing one of the domains. Domain registration data and GPS data were correlated to identify the location of the device in Maiduguri, Nigeria.

Threat actor geolocation

Threat Actor Geolocation (2024/05/14 20:10:28 UTC)
11.839646 13.136012

Network communication to the domains should be prevented. Communication with the domains has automatically been prevented in HYAS Protect protective DNS.

This illustrates how a particular threat actor from Nigeria is establishing malicious infrastructure on servers at a Lithuanian ISP. Combined with additional data this could be used for more specific actor attribution. It’s not currently understood who the target of the campaign is.

What We Know About Remcos

Remcos, short for "Remote Control and Surveillance," is a type of malware that functions as a Remote Access Trojan (RAT). It is designed to give attackers complete control over an infected system, allowing them to perform a wide range of malicious activities.

Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.

Malware IOCs (MD5)


Actor IP

Actor Email

Insights Into the Remcos Malware Campaign

Infrastructure and Geolocation

The threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications, combined with hosting on a Lithuanian ISP, underscores the complexity and global nature of modern cyber threats. This infrastructure setup not only obfuscates the true origin of the attack but also leverages international resources to evade localized law enforcement. This tactic is increasingly common, as threat actors exploit the decentralized nature of the internet to distribute their operations, making detection and takedown efforts more challenging. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.

Real-Time Tracking and Attribution

The ability to correlate domain registration and GPS data in near real-time significantly enhances the capacity for quick response and mitigation. This capability is pivotal in the cybersecurity landscape, where speed and accuracy in threat detection can mean the difference between containment and a full-blown breach. The integration of various data sources, provides a more comprehensive view of threat activities, enabling security teams to act swiftly and decisively. This real-time tracking is crucial not only for immediate incident response but also for longer-term threat intelligence and strategic defense planning.

Potential for Enhanced Attribution

While the specific targets of the campaign remain unidentified, the detailed actor information, including email and IP addresses, provides a solid foundation for further investigation. This data could be cross-referenced with known threat actor profiles and historical attack patterns to potentially identify the individual or group behind the campaign. Enhanced attribution capabilities allow organizations to better understand the motivations and tactics of their adversaries, leading to more effective defensive measures. By building a comprehensive profile of the threat actor, cybersecurity teams can anticipate future attacks and tailor their defenses accordingly.

Key Features and Capabilities of Remcos Malware

  • Remote Control: Attackers can remotely control the infected machine, including executing commands and managing files.
  • Surveillance: Remcos can log keystrokes, capture screenshots, and even record audio and video using the system's microphone and webcam.
  • Data Exfiltration: It can steal sensitive information such as passwords, banking information, and other personal data.
  • Persistence: Remcos is designed to maintain persistence on the infected system, ensuring it remains active even after reboots or attempts to remove it.
  • Bypassing Security: The malware often employs techniques to evade detection by antivirus software and other security measures.
  • Command and Control (C2) Communication: Remcos communicates with a command and control server controlled by the attacker, receiving instructions and sending back stolen data.

Distribution Methods for Remcos Malware

  • Phishing Emails: Often distributed via malicious email attachments or links.
  • Malicious Websites: Users can be tricked into downloading the malware from compromised or malicious websites.
  • Software Bundles: Sometimes bundled with legitimate software or disguised as a legitimate application.

Impact and Risks of Remcos Malware

  • Data Theft: Loss of sensitive personal or business information.
  • Financial Loss: Potential for financial theft through stolen banking credentials.
  • Privacy Invasion: Unauthorized surveillance and recording of personal activities.
  • System Compromise: Total control over the infected system can lead to further malware installation and broader network compromise.

Detection and Removal of Remcos Malware

  • Antivirus and Anti-Malware Tools: Use reputable antivirus software to detect and remove Remcos.
  • Regular Scanning: Regularly scan your system for malware.
  • Software Updates: Keep your operating system and software up to date to mitigate vulnerabilities.
  • User Education: Be cautious with email attachments, links, and downloads from untrusted sources.

Read the previous report:
Threat Intel Report - May 20, 2024

Sign up for the free HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

Learn how a solo intelligence analyst can navigate code obfuscation using generative AI. Using Generative AI to Understand How an Obfuscated Script Works

More from HYAS Labs

Using Generative AI to Understand How an Obfuscated Script Works

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Examining Predatory Mercenary Malware