Security Researchers Discover New Campaign That Delivers New Remcos RAT Variant

• Researchers have observed a campaign that distributes a new variant of Remcos RAT.
• The campaign involves a phishing email that pretends to be a payment advisory to lure victims into accessing the malicious attachment.

Security experts from Fortinet have published an analysis of this new variant.

Begins with a phishing email

The campaign kicks off with a phishing email that pretends to be from a valid domain. The email body is a payment advisory, a social engineering technique to convince victims to access the attached ZIP file.

• The ZIP file is actually a Windows Shortcut (.LNK) that is disguised as a .TXT file.
• When the user accesses the file and provides the password, it fetches and executes a PowerShell script.

What happens next?

According to the analysis, the PowerShell script performs these activities in sequential order after it has been executed.

1. Store the string “.exe” in a variable encoded in base64, which is then decoded and stored in a variable.
2. Generate the absolute path to the newly generated executable by concatenating the previously received parameter, the system’s public folder, and a random string generated for the file name.
3. Decode a base64 encoded executable file stored in a variable and then write all bytes into the executable file.
4. Perform a file extension check.
5. Start the dropped file by calling the “Start-Process” PowerShell cmdlet.

More details

The communication between Remcos and its command-and-control server is encrypted using RC4.

• It collects data from the infected machines including user name, location, device running time, and physical memory capacity, among others.
• The analysis also details several control command numbers and the features they stand for.