Remcos RAT Removal and Recovery Guide

Signs of Infection

Remcos RAT (Remote Control and Surveillance) is a feature-rich malware that exhibits several identifiable behaviors upon infection. Security teams should investigate systems displaying the following specific indicators.

File System Artifacts: The malware typically installs itself in user-writable directories to avoid requiring administrative privileges. Look for executable files with benign-sounding names (e.g., chrome_update.exe, securitycheck.exe) in %AppData%, %LocalAppData%, %Temp%, or %Public% directories. Remcos often creates a folder named Remcos or Rmc within %AppData%. Pay attention to recently created files with random alphanumeric names and the .exe or .dll extension. It may also drop a configuration file (often .bin or .dat) in the same directory.

Process and Persistence Behaviors: Check running processes for suspicious instances matching the dropped filenames. Remcos frequently uses process hollowing or injection to run its code within a legitimate process like explorer.exe, svchost.exe, or rundll32.exe. Examine these processes for unexpected memory allocations, network connections, or loaded modules. For persistence, Remcos commonly uses:

• Registry Run Keys: Entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
• Scheduled Tasks: Tasks with random or disguised names configured to execute the payload at logon or intervals.
• Startup Folder: A shortcut (.lnk file) placed in the user’s startup folder (%AppData%\Microsoft\Windows\Start Menu\Programs\Startup).

Network Indicators: Remcos beacons to its command-and-control (C2) server. Monitor for outgoing connections on common ports (e.g., 80, 443, 8080) to domains or IP addresses with low reputation scores, recently registered domains, or domains using Dynamic DNS providers. The initial beacon often contains a unique identifier for the infected machine. Anomalous amounts of data being exfiltrated via HTTPS or raw TCP sockets from a user’s workstation is a critical sign.

Immediate Containment Steps

Upon detecting a potential Remcos infection, take these actions within the first 15 minutes to prevent lateral movement and data theft.

1. Network Isolation: Immediately disconnect the affected host from the network. Disable its network adapters via the operating system or, preferably, through network access control (NAC) or switch port shutdown. This stops C2 communication and halts any active lateral movement attempts.
2. Preserve Evidence: Before termination, if possible, capture a memory dump of the suspected malicious process and the system memory. Take forensic snapshots of the disk volumes. This aids in later analysis and IOC extraction.
3. Process Termination: Identify the primary malicious process(es) using your EDR console or process explorer tool. Terminate these processes. Be aware of potential process guardians or watchdogs that may restart the malware; you may need to terminate multiple related processes in a specific order.
4. Credential Security: Assume credentials on the compromised host are compromised. Immediately rotate passwords for any domain, local, or service accounts that were active on that machine. Enforce multi-factor authentication where possible. Review authentication logs from your SIEM for suspicious logins originating from the host in the hours prior to detection.
5. Initial Triage: Quickly check neighboring systems on the same subnet for similar network connections or process artifacts to assess potential spread.

Manual Removal Process

Perform this detailed removal on the isolated host. Use a trusted, offline security toolset if possible.

Step 1: Terminate Malicious Processes.

• Open the system’s task manager or a trusted process management tool.
• Locate and end tasks for all suspicious processes identified earlier. Look for processes with high CPU/memory usage with no user interaction, or those matching the dropped file names.
• Use command-line tools to forcefully terminate processes if the GUI is unresponsive.

Step 2: Remove Persistence Mechanisms.

• Registry: Open the registry editor. Navigate to and delete any suspicious entries in:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (less common for Remcos)
• Scheduled Tasks: Open the Task Scheduler. Review the task library and delete any recently created or suspiciously named tasks that point to the malware’s executable location.
• Startup Folder: Navigate to C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and delete any suspicious .lnk files.

Step 3: Delete Dropped Files.

• Navigate to the identified malware directories (common in %AppData%, %LocalAppData%, %Temp%).
• Delete the primary executable, any dropped DLLs, and configuration files.
• Empty the Recycle Bin.

Step 4: Clean Registry Entries (Beyond Persistence).

• Search the registry for references to the malware’s file paths or known Remcos-related strings.
• Common locations to check include HKEY_CURRENT_USER\Software\ and HKEY_LOCAL_MACHINE\SOFTWARE\ for keys named “Remcos”, “Rmc”, or other random strings.
• Exercise extreme caution when editing the registry; delete only keys clearly linked to the infection.

Verifying Removal

Complete removal requires verification across multiple layers.

System Scans:

• Perform a full system scan with a reputable anti-malware solution, ensuring it has the latest definitions.
• Use a dedicated rootkit scanner to check for deep system hooks or hidden files installed by the RAT.
• Run a scan with your deployed EDR agent, focusing on the previously infected directories and registry hives.

Log Analysis:

• In your SIEM, review Windows Event Logs (particularly Security, System, and Application logs) from the host for errors related to the removed files or persistence mechanisms failing to load.
• Check for any new, suspicious scheduled tasks or service creations.
• Analyze process creation logs to ensure the malicious process names have not reappeared.

Network Monitoring:

• Before reconnecting the host to the production network, place it on an isolated, monitored VLAN.
• Use a network monitoring tool or the host’s firewall logging to watch for any outbound connection attempts to known Remcos C2 servers (from the IOC list) or to unknown destinations on the beaconing ports.
• Monitor for at least 24-48 hours for any residual beaconing activity.

Post-Removal Security Hardening

To prevent reinfection via similar vectors, implement these measures.

Configuration Changes:

• Application Whitelisting: Implement application control policies to block execution from high-risk locations like %AppData% and %Temp% for standard users.
• Restrict Office Macros: Disable Office macros from the Internet and enforce that macros are only enabled in documents from trusted, signed sources. Remcos often propagates via malicious macro attachments.
• Strengthen Email Filtering: Configure email gateways to block executable attachments, archive files containing executables, and documents with embedded macros from untrusted senders.

Monitoring & Policy Updates:

• Create EDR/SIEM Detection Rules: Develop alerts for process creation from %AppData%\*.exe with network activity, creation of scheduled tasks from user-writable directories, and registry modifications to common auto-start locations by non-admin processes.
• Network Segmentation: Enforce network segmentation to limit lateral movement. Use host-based firewalls to restrict outbound connections from workstations to only necessary services.
• User Training & Policy: Update acceptable use policies to explicitly forbid disabling security software. Conduct regular phishing awareness training focusing on identifying malicious email attachments and links, a primary Remcos delivery method.

For the latest technical indicators, please refer to the Current Remcos RAT IOCs. You can review the Detection Rate for anti-virus efficacy, and a general Remcos RAT Overview is also available.