Threat Hunting Content: Remcos RAT COVID19 Campaigns

Remcos RAT was first spotted in 2016. Now it hat purports to be a legitimate remote access tool but it was used in multiple global hacking campaigns. On various sites and forums, cybercriminals advertise, sell, and offer the cracked version of this malware. Since the end of February, security researchers have discovered several campaigns that distribute Remcos Trojan and exploit the COVID-19 theme in phishing emails. 

A few weeks ago, another campaign aimed at a small business in the United States became known: attackers spoofed the U.S. Government Small Business Administration email to ensure their victims open the malicious attachment and start multi-stage execution, starting with the GuLoader downloader to deliver the Trojan. Remcos can be used to spy on its victims, collect credentials, exfiltrate files, and execute commands. 

Threat hunting rule by Osman Demir enables your security solution to detect fresh instances of this Remote Access Trojan: https://tdm.socprime.com/tdm/info/VTPq73Wr1ZQs/oSF1DXIBjwDfaYjK0HeG/?p=1

Threat Detection is supported for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness, Sumo Logic

EDR: Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution

Techniques: User Execution (T1204)

YARA rules by Osman Demir to uncover the RAT: https://tdm.socprime.com/tdm/info/Eh7mpdZYLttx/fCFbDXIBjwDfaYjK9Hc9/

More content by Emir Erdogan related to the Trojan and recent campaigns:

Remcos RAT Backdoor Detection – https://tdm.socprime.com/tdm/info/0pEIgeXQQ8qJ/HCDcP3EBjwDfaYjKheK0/

Remcos RAT downloaded via Internet Explorer – https://tdm.socprime.com/tdm/info/SbAfC5odSp8V/-4uRpnEB1-hfOQir2dtY/

GuLoader Downloads REMCOS and PARALLAX RAT – https://tdm.socprime.com/tdm/info/neIOio4uZ1xB/euYsT3EBv8lhbg_i7yo4/

Remcos Remote Access Tool (RAT) – YARA Rules – https://tdm.socprime.com/tdm/info/sDp8qxV1mDn1/g8KVz20BEiSx7l0HEpF8/