- The newest Apple Watch Series 10 is $50 off at Walmart for the holiday season, and it will arrive before Christmas
- New: Cisco CCT Field Technician certification
- This cordless vacuum brightens my floors in more ways than one (and it beats my Dyson)
- The best tablets of 2024: Expert tested and reviewed
- What is Google's Project Mariner? This AI agent can navigate the web for you
Remcos RAT Malware Evolves with New Techniques
A sharp increase in cyber-attacks involving the Remcos remote access Trojan (RAT) has been identified in Q3 2024.
The malware, delivered through phishing emails and malicious attachments, enables attackers to control victim machines remotely, steal data and carry out espionage.
Two Key Variants Identified
McAfee Labs researchers have analyzed two distinct Remcos RAT variants, each leveraging unique methods for delivery and execution.
The first variant employs a highly obfuscated PowerShell script triggered by a VBS file. This script downloads files from command-and-control (C2) servers and injects malicious code into RegAsm.exe, a legitimate Microsoft executable. By using multi-layer obfuscation, it avoids detection by mimicking legitimate system paths and directories.
The second variant spreads via spam emails containing malicious Microsoft Office Open XML (DOCX) attachments. These files exploit CVE-2017-11882, a remote code execution vulnerability. Upon execution, an embedded script downloads additional malware payloads, ultimately leading to the deployment of Remcos RAT.
Both variants share several common characteristics that make them highly evasive. They encode data in Base64 format, use reversed URLs and avoid leaving files on disk, effectively bypassing traditional detection systems. Additionally, they inject their final payloads into legitimate processes to evade behavioral detection systems.
To ensure persistence, these variants rely on registry modifications and startup folder entries, guaranteeing their presence even after system reboots.
Read more on RAT threats: Chinese Hackers Leveraging ‘Noodle RAT’ Backdoor
Mitigating the Threat
McAfee Labs has provided indicators of compromise (IOCs) for these variants, including file hashes and URLs, to aid in threat detection.
The rising threat of Remcos RAT highlights the critical importance of:
-
Keeping systems up-to-date and patching known vulnerabilities
-
Employing multi-layered security measures to detect and neutralize malware
-
Educating users on recognizing and avoiding phishing tactics
“As this remote access Trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical,” McAfee warned.
“By understanding the tactics used by cybercriminals behind Remcos RAT and implementing robust defenses such as regular software updates, email filtering and network monitoring, organizations can better protect their systems and sensitive data.”
