Security Researchers Discovered that the fake emails distribute Remcos RAT Variant

Security Researchers Discovered that the fake emails distribute Remcos RAT Variant

The researchers have discovered a new campaign that spreads a new variant of Remcos RAT that involves an email and the email id pretends to be from a valid domain and the body of the email contains the payment advisory which is used as a technique to convince the victims to get in the attached ZIP file which is a Windows Shortcut but to the user it is displayed as .TXT file. Once the user gets to click the .TXT file and assigns the password it fetches the password and it continues to execute a PowerShell script.

All the communication between the Remcos and its command is encrypted using the RC4. When the PowerShell script executes then it stores the ".exe" string in a variable. It generates and decodes the original path and performs a file extension then starts the dropped file by calling the "Start-Process" PowerShell cmdlet.

The RemcosRAT campaign uses Autult wrapper to deliver the variant featuring new obfuscation and anti-debugging techniques. This threat was encountered by the Trend Micro by encountering the email that was disguised as an order notification but actually delivers the RAT. The researchers found that the Remcos RAT that is infused with a fake email contains a highly customizable form of trojan malware.