Bad news, as we well know, cybercriminals do not rest and that is that for the last few months, Malwarebytes researchers have been tracking a unique malspam campaign that delivers the remote access Trojan Remcos (RAT) via financial-themed emails. This threat aims to generate and distribute malicious code such as Remote Access Trojans (RAT) and shellcode to enable back doors on infected Windows systems.
Tara Gould and Gage Mele, researchers at the cybersecurity firm Anomali, have discovered that this campaign uses Microsoft Build Engine to generate and distribute fileless malware, which is one that does not require any files on the system to carry out its activity, but rather that uses elements and functionalities of the operating system. Fileless malware often uses a legitimate application to load the malicious code embedded in it into memory, from where it runs without affecting the file system and without leaving traces of infection on the system.
Most of the samples analyzed by the Anomali team correspond to Remcos RAT type malware that we saw earlier, which allows full access to the equipment, from capturing keystrokes and executing arbitrary commands to recording microphones and webcams, in addition to this it is combined with Quasar RAT which is responsible for stealing passwords and RedLine Stealer which collects credentials from browsers, VPN and messaging clients, passwords and cryptocurrency wallets.
Remcos is a fully functioning RAT that gives the threat actor full control over the infected system and allows them to collect keystrokes, audio, video, screenshots, and system information. Because it has full control, Remcos can also download and run additional software on the system. This Remcos distribution uses a series of scripts that ultimately result in injecting a Remcos payload into the Windows binary aspnet_compiler.exe. Unfortunately, the researchers declare that the use of legitimate code to hide malware from antivirus technology is quite effective and is experiencing exponential growth and we must take extra security measures.
Related reads:
Pupy Rat – A tool for remote administration
StrRAT Malware Threat Spreads by Phishing
[…] reads:Remcos RAT Threat Lurking the InternetSolarMarker is a Trojan that aids itself with a […]