A new version of Remcos RAT tracked as v4.2.0, has been observed with new evasion techniques in the wild. Originally, Remcos is a legitimate commercial RAT developed by the security company Breaking Security. Hackers have been using it for malicious purposes at least since 2017.

What’s happening?

Researchers have discovered the new version of the RAT being dropped via an NSIS installer file, with a free icon. 
  • During the installation, three more files are dropped into the victim’s temp folder. 
  • One of them is used to decrypt the Remcos payload injector, the second is to compress the Remcos payload, and the third acts as an injector of the Remcos payload.

Remcos’ evasion technique

  • This variant uses the Dynamic Imports technique to evade detection by static analysis-based tools.
  • Moreover, it performs the processing hollowing technique— that uses direct syscalls— to evade detection.

It's among top threats

  • A global threat report by Check Point Research revealed that Remcos was among the top 10 malware families that caused havoc throughout December 2022. This is the third time the malware has been listed after two consecutive months. 
  • A report from the CISA also highlighted how hackers used Remcos RAT to pilfer personal data and credentials by conducting mass phishing campaigns, as it shared details of the top malware strains from 2021. 


Since the malware distributes itself through malicious documents attached to emails, organizations must ensure to cross-check the email before opening. Furthermore, having good email security solutions in place is recommended to prevent the malware from spreading further.
Cyware Publisher