Hackers Ship Remcos RAT-Weaponized PDF Payslip Doc

AhnLab Safety Emergency Response Heart (ASEC) has not too long ago revealed a disturbing case of Remcos RAT, a malicious software program that may remotely entry and manipulate contaminated machines. 

The attackers behind this malware used a intelligent electronic mail rip-off that pretended to be a payslip to trick the recipients into opening a compressed CAB file that contained the Remcos RAT disguised as a PDF file.

This sneaky trick allowed the Remcos RAT to enter the goal’s system, giving the attacker a number of malicious choices. 

The Remcos RAT, as soon as run, has many intrusive capabilities. It may log keystrokes, take screenshots, management webcams and microphones, and execute varied actions as per the attacker’s instructions. 

It may additionally steal delicate information, corresponding to looking histories and saved passwords, from the sufferer’s system.

Apparently, the Remcos RAT stays inactive till it will get instructions from the attacker’s command and management (C2) server. 

This helps it evade detection by safety programs. Nevertheless, it has a singular characteristic that makes it totally different from typical remote-access trojans. 

The Remcos RAT has an offline keylogger that begins working proper after an infection with no need a command from the C2 server. 

This creates a weak point that can be utilized for detection, particularly with sandbox gadgets.

Varied management options of the Remcos RAT’s distant management server (Remcos v2.6.0

The offline keylogger within the Remcos RAT works through the use of the SetWindowHookExA API and putting in a hook process to observe keyboard enter occasions via the WH_KEYBOARD_LL argument.

AhnLab’s MDS sandbox atmosphere efficiently detects the malicious conduct of this offline keylogger.

This characteristic helps to determine the Remcos RAT’s presence even earlier than it connects with the C2 server.

Remcos RAT malware detected utilizing AhnLab MDS (2)

To conclude, Remcos RAT is a critical menace that may do a number of hurt. Its distinctive offline keylogger characteristic presents an opportunity for detection, making it necessary for safety directors to make use of superior menace prevention options, corresponding to MDS, and to fastidiously monitor endpoint environments for any uncommon behaviors utilizing merchandise like EDR. 

Shield your self from vulnerabilities utilizing Patch Supervisor Plus to patch over 850 third-party purposes rapidly. Attempt a free trial to make sure 100% safety.