LTS Secure Warning: AutoIt wrapper being utilized to deliver new variant of Remcos RAT

A new Remcos RAT campaign has been identified that is making use of AutoIt wrapper, incorporating various anti-debugging & obfuscation techniques to evade detection.

Technical Details

The attackers are sending out phishing mails, disguised as order notification, containing the RAT as an attachment. The attachment contains the loader/wrapper Boom.exe. The executable’s main purpose is to perform anti-analysis detection, achieve persistence & finally drop the Remcos RAT.

Once the executable is converted to an AutoIt script, it is identified that the malicious code has been obfuscated with multiple layers, helping it avoid being detected and making it challenging for researcher to reverse.

Impact

• Collects user & system information.
• Execute remote scripts.
• Logs user’s keystrokes.
• Take screenshots of desktop.
• Managing clipboard data.
• Manipulating registry values and keys.
• Downloading files.

Recommended Actions

• Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
• Ensure that your devices are always up-to-date with the latest patches released.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Make sure that security practices like whitelisting, blocking unused ports and disabling unused components are implemented.
• Monitor traffic on system for any suspicious/unusual behavior.