A newly observed variant of Remcos RAT has introduced significant upgrades to its surveillance arsenal, marking a dangerous evolution in how this remote access trojan operates on compromised Windows systems.
From Storage to Streaming
According to Infosecurity Magazine, the updated strain represents a fundamental shift in operational methodology. Rather than relying primarily on storing stolen data locally, the malware now establishes direct online communication with attacker-controlled servers for immediate monitoring and data exfiltration.
The latest build introduces capabilities that significantly elevate the threat level:
- Live webcam streaming through a downloaded DLL module
- Online keylogging that transmits captured input directly to C2 servers in real-time
- Encrypted C2 configuration decrypted only in memory
- Dynamic API resolution to hinder static analysis
- Cleanup routines that remove logs, browser data, and persistence keys
Modular Plugin Architecture
Researchers from Point Wild’s Lat61 Threat Intelligence team detailed the technical changes. Notably, Remcos no longer embeds webcam functionality in its main executable. Instead, it retrieves the recording module from its C2 server when instructed, loads the library at runtime using Windows API calls, executes recording functions, and transmits captured footage in encrypted chunks.
Evasion and Stealth Techniques
The malware employs several advanced evasion techniques:
- Decrypts its configuration only at runtime
- Dynamically loads critical Windows APIs to avoid static detection
- Uses a named mutex (Rmc-GSEGIF) to ensure only one active instance runs
- Encrypts C2 addresses inside the binary, reconstructing strings only in memory
Post-Exfiltration Cleanup
After completing data theft, Remcos initiates a comprehensive cleanup process. It deletes keylogging files, screenshots, and audio recordings, clears browser cookies, and removes registry entries tied to persistence. Finally, it generates a temporary VB script in the %TEMP% directory to delete its own files before terminating — leaving minimal forensic traces behind.
Why It Matters
“The latest Remcos variants demonstrate a continued evolution in both stealth and functionality,” Point Wild noted. “Overall, the persistence of Remcos and the steady refinement of its techniques highlight its ongoing effectiveness as a remote access trojan.”
Originally developed as a legitimate remote management tool, Remcos has been abused by threat actors for years. This latest evolution makes it an even more dangerous surveillance platform capable of providing attackers with full control over infected systems, including file access, credential theft, and now real-time audio/video monitoring.
Security teams are advised to monitor for suspicious outbound connections and unauthorized registry modifications to detect potential infections early.
Source: Infosecurity Magazine
