loader gif

Security Researchers Discover New Campaign That Delivers New Remcos RAT Variant

Security Researchers Discover New Campaign That Delivers New Remcos RAT Variant
  • Researchers have observed a campaign that distributes a new variant of Remcos RAT.
  • The campaign involves a phishing email that pretends to be a payment advisory to lure victims into accessing the malicious attachment.

Security experts from Fortinet have published an analysis of this new variant.

Begins with a phishing email

The campaign kicks off with a phishing email that pretends to be from a valid domain. The email body is a payment advisory, a social engineering technique to convince victims to access the attached ZIP file.

  • The ZIP file is actually a Windows Shortcut (.LNK) that is disguised as a .TXT file.
  • When the user accesses the file and provides the password, it fetches and executes a PowerShell script.

What happens next?

According to the analysis, the PowerShell script performs these activities in sequential order after it has been executed.

  1. Store the string “.exe” in a variable encoded in base64, which is then decoded and stored in a variable.
  2. Generate the absolute path to the newly generated executable by concatenating the previously received parameter, the system’s public folder, and a random string generated for the file name.
  3. Decode a base64 encoded executable file stored in a variable and then write all bytes into the executable file.
  4. Perform a file extension check.
  5. Start the dropped file by calling the “Start-Process” PowerShell cmdlet.

More details

The communication between Remcos and its command-and-control server is encrypted using RC4.

  • It collects data from the infected machines including user name, location, device running time, and physical memory capacity, among others.
  • The analysis also details several control command numbers and the features they stand for.
loader gif