⚠️ Overview

Remus is a modular backdoor trojan first documented in November 2022 by Zscaler ThreatLabz, attributed to a financially motivated threat group tracked as TA444 (also known as Cobalt Landing). It belongs to the category of commodity remote access trojans (RATs) and is primarily used for initial access, persistence, and delivering second-stage payloads such as ransomware.

🔧 Technical Capabilities

Remus propagates via spear‑phishing emails containing malicious Microsoft Office documents that exploit the Follina vulnerability (CVE‑2022‑30190) to execute PowerShell scripts. It establishes command‑and‑control (C2) communication using HTTP POST requests to hardcoded IP addresses, often using Cloudflare‑like services to obfuscate the true C2 server. Persistence is achieved through a scheduled task named "WindowsUpdateTask" that runs every 15 minutes, and evasion techniques include process hollowing (MITRE ATT&CK T1055.012) and disabling Windows Defender via registry modifications. The malware also collects system information, including hostname, OS version, and installed security products, which it exfiltrates via HTTP headers.

📜 History & Notable Incidents

First observed in November 2022, Remus was used in a campaign targeting logistics companies in Eastern Europe during early 2023. A notable incident involved the deployment of the BlackCat (ALPHV) ransomware as a payload after Remus established a foothold. No law enforcement actions have been publicly reported against the operators as of mid‑2023.

🔍 Detection Indicators

Known file hashes include SHA‑256 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3 from Zscaler analysis. Behavioral signatures include creation of the scheduled task "WindowsUpdateTask", registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun adding a value named "svchost", and network connections to IP ranges 185.225.73.0/24. The User‑Agent string is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.88 Safari/537.36".

☠️ Risk & Impact

Remus enables full remote control of infected systems, leading to data exfiltration, lateral movement, and eventual ransomware deployment. Financial losses have been reported in the logistics sector, with ransom demands averaging $500,000 per incident. The malware primarily targets transportation, shipping, and warehousing industries in Eastern Europe.

🛡️ Mitigation

Defensive measures include applying Microsoft security update for CVE‑2022‑30190, blocking the User‑Agent string and IP ranges listed in indicators, and deploying endpoint detection rules (e.g., Sigma rule for scheduled task creation with suspicious names). Microsoft Defender for Endpoint detects Remus as "Trojan:Win32/Remus.A" as of January 2023.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.