Delaware, USA – October 15, 2018 — Unidentified cybercriminals carried out the largest cyber attack in the history of Iceland infecting users with Remcos remote access tool and gain access to their banking accounts. On October 6, adversaries started sending phishing emails, which contained a link to the spoofed version of the Icelandic police website and the requirement to come to the police for questioning. Cybercriminals are not only familiar with the administrative system of Iceland, but also have access to the social security numbers (SSN) database. Attackers’ website address differed from the official one letter only, and even experienced users could fall for this trick. The site required users to enter the SSN, for which it was necessary to log into the online bank account. If users entered a legitimate SSN, a password-protected archive with an .SRC file disguised as an MS Word document was downloaded to their computers. After unpack and execution, the malicious file installed Remcos RAT and dropped VBS script into Autorun to ensure persistence on the infected machine. Attackers used Remcos to collect user credentials and send them to command and control servers, as well as to attack their bank accounts.
Cybercriminals sent out thousands of phishing emails, but the exact number of victims is still unknown. The attack was carefully planned and spoofed website was shut down the next day only. This is not the first time when Remcos RAT was used for malicious purposes; such a scheme can also be leveraged for attacks on the organization and delivery of malware avoiding antivirus solutions. To detect sophisticated attacks, you can use the updated APT Framework, which notifies SIEM operators about potential threats at different stages of the Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight