Remcos RAT Phishing Campaign: An Updated Infection Chain

A new wave of phishing delivering Remcos RAT payload has been observed by security researchers. Remcos is a commercial remote administration trojan developed by Breaking Security firm, that is accessible for free from their website. According to the source that developed this tool, Remcos is capable of downloading entire folders in one click, using a range of File Manager functionality, utilizing a keylogger, and establishing a connection with a C&C server. It’s worth mentioning that Remcos RAT is being continuously improved, The newest updates were published on April 1, 2022. 

The abovementioned functionality allows attackers to maintain persistence, conduct reconnaissance (with audio recording and screenshots), steal sensitive information, and gain control over the infected machines without any visible changes to the operation and therefore, unbeknownst to the user. 

The ongoing campaign is financially-oriented and mimics remittance payment notifications from legitimate institutions, such as FIS Global, Wells Fargo, and ACH Payment. Discover the possibilities of our detection content for SIEM, EDR & XDR solutions that will help you spot the newest activity of Remcos RAT trojan in your infrastructure.

Remcos Trojan Infection: How to Detect?

Deploy the newest Sigma-based detection rule created by our Threat Bounty developer Aytek Aytemur to be able to spot the latest Remcos RAT behavior.

Suspicious Remcos Malware Execution by PowerShell Executing Multistage Downloaders (via ps_script)

This detection is available for the following SIEM, EDR & XDR formats: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Devo, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic and User Execution (T1204) technique.

Remcos RAT has been around for some time, that’s why many signs of its activity can already be detected. Dive into our comprehensive list of Sigma-based rules associated with Remcos attacks to be aware of a fuller range of activities that this malware can execute. Also, if you are writing your own detections, check out our crowdsourcing initiative that lets you monetize on making the cyber world a safer place.

View Detections Join Threat Bounty

Remcos Spam Campaigns Analysis

The typical attack chain starts with sending an infected XLS file through a phishing email. To evade detection, adversaries add password protection to this file. Once a victim opens it and enables macros, the malicious XML code enables the execution of Remcos binary parameters.

Through a series of PowerShell commands, the XLS file makes for the creation and execution of a new VBS file. The chain goes on as the latter executes another similar command that downloads, saves, and executes the next file extracted from a malicious C&C server. The latter file connects with the server again and delivers an encrypted cmdlet command which loads and decrypts the whole different sequence of actions based on a .NET object delivering the final RAT at the end of this sequence.

As a result, researchers conclude that Remcos RAT final component is delivered through an intricate chain of infection stages that largely depend on their connection with the C2 server where all the necessary files are stored. As you can see, obfuscated information and codes inside the malware strains are developed specifically to evade the available security controls. However, by using the newest detection content, it is possible to stay ahead of modern sophisticated attacks. Access the power of collaborative defense by joining our SOC Prime Detection as Code platform, where globally recognized security specialists come together to create high-quality cyber detections on a continuous basis.