LTS Secure Warning: Remcos RAT Being Delivered To Small Businesses In New Phishing Campaign

A new phishing campaign has been identified by security researchers, making small business to think that the message they gave received has send by the U.S. Government Small Business Administration (SBA.gov), in order to infect them with Remcos RAT.

Technical Details

The email contains a multi-stage execution process, starting with the GuLoader downloader, which is then being used to deliver the RAT. GuLoader is a malicious downloader, which has been used by threat actors in the past to deliver a variety of malware to victim machines.

Written in visual basic, the code’s main functionality is enclosed inside an encrypted shellcode, which it decrypts & then executes. The shellcode is responsible for downloading an encrypted payload from a hardcoded Google Drive URL. Once downloaded, the shellcode decrypts the payload & loads it into a running instance of itself via process injection.

The binary downloaded, is XOR decrypted with the help of a hardcoded key, which is extracted from the GuLoader. This downloaded binary is the Remcos RAT.

Impact

• Log user’s keystrokes.
• Take screenshots of desktops.
• Records videos & takes pictures from webcam.
• Records sound from microphone.
• File Management.
• Stealing sensitive/confidential information.
• Command Execution.
• C&C Communication.

Recommended Actions

• Never download any suspicious attachments or click on any shady-looking link.
• Take an effort to educate your users on how to identify a mal-spam.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.