- Researchers have observed a campaign that distributes a new variant of Remcos RAT.
- The campaign involves a phishing email that pretends to be a payment advisory to lure victims into accessing the malicious attachment.
Security experts from Fortinet have published an analysis of this new variant.
Begins with a phishing email
The campaign kicks off with a phishing email that pretends to be from a valid domain. The email body is a payment advisory, a social engineering technique to convince victims to access the attached ZIP file.
- The ZIP file is actually a Windows Shortcut (.LNK) that is disguised as a .TXT file.
- When the user accesses the file and provides the password, it fetches and executes a PowerShell script.
What happens next?
According to the analysis, the PowerShell script performs these activities in sequential order after it has been executed.
- Store the string “.exe” in a variable encoded in base64, which is then decoded and stored in a variable.
- Generate the absolute path to the newly generated executable by concatenating the previously received parameter, the system’s public folder, and a random string generated for the file name.
- Decode a base64 encoded executable file stored in a variable and then write all bytes into the executable file.
- Perform a file extension check.
- Start the dropped file by calling the “Start-Process” PowerShell cmdlet.
The communication between Remcos and its command-and-control server is encrypted using RC4.
- It collects data from the infected machines including user name, location, device running time, and physical memory capacity, among others.
- The analysis also details several control command numbers and the features they stand for.