⚠️ Overview

RemRAT is a remote access trojan (RAT) first documented in 2018 by Cisco Talos, attributed to an unknown threat actor likely operating out of the Middle East. It is categorized as a modular RAT capable of persistent remote control and data theft, often delivered via spear-phishing emails with malicious Office documents. According to MITRE ATT&CK, RemRAT is associated with techniques under the TA0001 initial access and TA0003 persistence tactics.

🔧 Technical Capabilities

RemRAT employs multiple propagation methods including email-borne macro-enabled documents and exploit kits. Its attack vectors leverage CVE-2017-11882 (Equation Editor vulnerability in Microsoft Office) and CVE-2018-0798 (Office memory corruption) for code execution without user interaction. The malware uses a custom command-and-control (C2) protocol over HTTP with AES-encrypted payloads to evade detection. Persistence is achieved through registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include API hooking, process hollowing, and checking for sandbox environments via system uptime and disk size queries. The RAT maintains a hardcoded list of fallback C2 domains and uses dynamic DNS services to rotate infrastructure.

📜 History & Notable Incidents

First observed in June 2018 by Cisco Talos (report: "RemRAT: A New Remote Access Trojan Targeting the Middle East"), RemRAT was used in targeted campaigns against government and energy sector entities in Turkey, Saudi Arabia, and the UAE. No major CVEs have been uniquely assigned to RemRAT itself, but it exploits older Office vulnerabilities as noted. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 0a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 (reported by AlienVault OTX). Behavioral signatures include creation of mutex GlobalRemRATMutex and registry writes to HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate. Network indicators include User-Agent string Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 and periodic beaconing to domains ending in .ddns.net or .duckdns.org.

☠️ Risk & Impact

RemRAT enables full remote control including keystroke logging, screen capture, file exfiltration, and deployment of secondary payloads. In campaigns documented by Trend Micro, it caused data breaches of sensitive government documents and internal network credentials. Primary affected sectors include Middle Eastern government agencies and critical energy infrastructure, with financial losses estimated in the millions per incident due to remediation and data recovery.

🛡️ Mitigation

Defenders should apply all Microsoft Office security patches for CVE-2017-11882 and CVE-2018-0798, enforce email attachment scanning with macro-blocking policies, and deploy endpoint detection rules for the identified mutex and registry keys. Network-level monitoring for DNS queries to dynamic DNS domains and the specific User-Agent string can aid early detection. Recommended security tools include YARA rules from the Talos Intelligence report and EDR solutions with behavioral analysis capabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.