Researchers have encountered a new phishing campaign that is being used to distribute the notorious Remcos RAT. The malware is disguised as a payslip to trick users.

Modus operandi

According to ASEC researchers, the phishing emails are sent with the subject name ‘This is a confirmation document for your payment transfer’ to deceive the recipients.
  • It includes a compressed cab file that executes an EXE file (Remcos RAT) disguised with a PDF file icon. 
  • Upon execution, the malware captures screenshots, records keystrokes, and allows threat actors to take control of webcams and microphones. 
  • Additionally, it extracts histories and passwords saved on victims’ web browsers. 

This is not the first time that the malware has been used to scurry off users’ personal information. In March, Microsoft reported a similar situation, in which the Remcos RAT was used to target employees in U.S. accounting and tax return preparation firms.

A persistent threat

  • Apart from these, Remcos RAT has become a widely employed tool in various malicious campaigns conducted by threat actors.
  • Recently, operators behind QakBot malware were found distributing the trojan, alongside Knight ransomware, as part of an attack campaign that has been active since August.
  • Moreover, Check Point researchers pointed out that 40 prominent companies across Colombia were infected in a stealthy Remcos RAT campaign, enabling attackers to gain full control of infected systems and perform a wide range of attacks. 

Ending notes

Remcos RAT is a complex multi-stage malware that uses different obfuscation methods to evade detection. As it is primarily distributed in the form of malicious attachments via emails, organizations must ensure to scan them before opening and downloading files from them. Furthermore, it is recommended to implement IDS on systems to monitor and detect unusual behaviors on systems.
Cyware Publisher

Publisher

Cyware