A concerning new variant of Remcos RAT has emerged in a widespread phishing operation. This publicly available Remote Access Trojan poses a significant threat to Windows users in the UK and around the world.
Remcos, originally developed as a commercial Remote Administration Tool (RAT), is now at the centre of growing cybersecurity concerns. Although this program, which has sophisticated functionality for remote computer control, is publicly accessible online, cybercriminals are increasingly using it for malicious purposes.
According to Xiaopeng Zhang in last week’s security advisory:
The Remcos RAT toolkit hands cyber criminals a comprehensive suite of remote control capabilities over compromised Windows machines. However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts.
A recent cyberattack exposed the sophisticated Phishing attacks used by threat actors to misuse Remcos. The attack starts with a malicious OLE Excel document attached to a phoney email that seems like a regular order notice. What happens next is critical since just opening this attachment causes a significant security issue called CVE-2017-0199.
This vulnerability, with a CVSS score of 7.8, exploits how Microsoft Office and WordPad process specially crafted files. Once triggered, it enables Excel to display malicious content through remote code execution.
The attack becomes more complex when the compromised Excel file downloads an HTML Application (HTA) file named “cookienetbookinetcache.hta” from a remote site at “192.3.220[.]22”. The Mshta.exe utility is then used to execute this file, potentially granting attackers access to the victim’s computer.
Once successfully installed, Remcos RAT provides attackers with an alarming range of capabilities. These include gathering system information, accessing files, managing processes, altering the Windows Registry, and running remote commands.
The application can also track notepad content, use the camera and microphone, record screen activities, and deactivate user input devices. This level of control allows attackers to fully infiltrate affected systems while maintaining persistent access.
Wallarm, a security firm, has also discovered a phishing operation that uses Docusign’s API. In this clever technique, fraudsters create authentic, paid Docusign accounts and send convincing false invoices to innocent victims.
These scammers have developed a cunning approach by crafting detailed invoice templates that mimic trusted brands, with Norton Antivirus being a primary target. To compromise critical information, they aim to trick users into e-signing papers that look real.
An alarming similar pattern is that attackers have started using a method called ZIP file duplication. There is a serious security risk when using this approach since it combines many ZIP archives into one file.
The risk is in how these chained files are handled by various software programs. Well-known programs like 7-Zip, WinRAR, and Windows File Explorer handle these files in different ways and could overlook possibly risky data.
Cyber risks are constantly evolving, and this innovative attack method underscores the importance of maintaining robust security measures. Remcos RAT, with its extensive system control capabilities, advanced deployment techniques, and effective evasion strategies, poses significant threats to both individuals and organisations.
It shows the growing complexity of current cyberthreats by operating covertly and maintaining conversations with its command-and-control server that appear authentic.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
