Security experts from Fortinet have published an analysis of this new variant.
Begins with a phishing email
The campaign kicks off with a phishing email that pretends to be from a valid domain. The email body is a payment advisory, a social engineering technique to convince victims to access the attached ZIP file.
What happens next?
According to the analysis, the PowerShell script performs these activities in sequential order after it has been executed.
The communication between Remcos and its command-and-control server is encrypted using RC4.