Typically we recommend checking the domain names within suspicious emails (@example.co.uk), but there is a new, more advanced type of phishing email spreading.
The phishing email uses spoofing to make it look as if it comes from a valid domain. It then supplies the victim with a .zip file containing the Remcos RAT.
These are typically emails from banks with an attached .ZIP or .TXT file. Please get in touch if you suspect one of these emails.
You may not be hit with this email attack but it’s just something we want to make our clients aware of.
What is Remcos?
The Remcos remote access trojan first emerged on underground forums in 2016 and has received a number of updates over the course of the last few years.
Available to crooks for as little as £30, the malware is an information stealer and surveillance tool, using capabilities including keylogging, taking screenshots and stealing clipboard contents to secretly take usernames and passwords from infected victims.
Now researchers at Fortinet have uncovered a new Remcos campaign – with the new variant titled “2.5.0 Pro” according to hard coded strings in the malicious code which was compiled in September – indicating the freshness of this variant.
These attacks begin with an attempt to trick the victim into opening a malicious ZIP file under the pretence of payments being made into a bank account. The .ZIP file is a gateway to a .TXT extension which runs a PowerShell script when activated, executing the installation of the malware onto the victim’s Windows machine.
When the malware is running, it records all information entered in the web browser, providing information on what websites the user is visiting and what they enter into the site – enabling the attacker to see and steal usernames and passwords.
Researchers have detailed the full capabilities of the new version of Remcos along with its Indicators of Compromise in their analysis of the malware.