Summary: A significant rise in cyber-attacks utilizing the Remcos remote access Trojan (RAT) has been observed in Q3 2024, primarily delivered through phishing emails. This malware allows attackers to remotely control victim machines, steal data, and conduct espionage activities.
Threat Actor: Unknown | Remcos RAT threat actor
Victim: Various organizations | Remcos RAT victims
Key Point :
- Two distinct Remcos RAT variants have been identified, each utilizing different delivery methods.
- The first variant uses an obfuscated PowerShell script triggered by a VBS file, while the second spreads via malicious DOCX attachments exploiting CVE-2017-11882.
- Both variants employ techniques to evade detection, such as encoding data in Base64 and injecting payloads into legitimate processes.
- They ensure persistence through registry modifications and startup folder entries.
- Mitigation strategies include keeping systems updated, employing multi-layered security, and educating users on phishing tactics.
A sharp increase in cyber-attacks involving theRemcos remote access Trojan (RAT) has been identified in Q3 2024.
The malware, delivered through phishing emails and malicious attachments, enables attackers to control victim machines remotely, steal data and carry out espionage.
Two Key Variants Identified
McAfee Labs researchers have analyzed two distinct Remcos RAT variants, each leveraging unique methods for delivery and execution.
The first variant employs a highly obfuscated PowerShell script triggered by a VBS file. This script downloads files from command-and-control (C2) servers and injects malicious code into RegAsm.exe, a legitimate Microsoft executable. By using multi-layer obfuscation, it avoids detection by mimicking legitimate system paths and directories.
The second variant spreads via spam emails containing malicious Microsoft Office Open XML (DOCX) attachments. These files exploitCVE-2017-11882, a remote code execution vulnerability. Upon execution, an embedded script downloads additional malware payloads, ultimately leading to the deployment of Remcos RAT.
Both variants share several common characteristics that make them highly evasive. They encode data in Base64 format, use reversed URLs and avoid leaving files on disk, effectively bypassing traditional detection systems. Additionally, they inject their final payloads into legitimate processes to evade behavioral detection systems.
To ensure persistence, these variants rely on registry modifications and startup folder entries, guaranteeing their presence even after system reboots.
Read more on RAT threats: Chinese Hackers Leveraging ‘Noodle RAT’ Backdoor
Mitigating the Threat
McAfee Labs has provided indicators of compromise (IOCs) for these variants, including file hashes and URLs, to aid in threat detection.
The rising threat of Remcos RAT highlights the critical importance of:
-
Keeping systems up-to-date and patching known vulnerabilities
-
Employing multi-layered security measures to detect and neutralize malware
-
Educating users on recognizing and avoiding phishing tactics
“As this remote access Trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical,” McAfee warned.
“By understanding the tactics used by cybercriminals behind Remcos RAT and implementing robust defenses such as regular software updates, email filtering and network monitoring, organizations can better protect their systems and sensitive data.”
Source: https://www.infosecurity-magazine.com/news/remcos-rat-malware-evolves-new