A new remote access tool, known as Remcos, has been seen rising in popularity over the last month and has been linked to several recent attacks. Remcos, which sells for €58-389 from the vendor Breaking Security, is a security tool advertised for “ethical hacking” and otherwise legal purposes. Remcos boasts the ability to monitor keystrokes, manage files, take remote screenshots, execute remote commands, and otherwise control an endpoint remotely. Not surprisingly, this tool is being purchased and used by criminals, who are then using the tool for malicious purposes, such as for controlling botnets.
In some recent attacks, spear phishing emails were observed being sent to government contractors, in which the attackers crafted emails posing as various tax agencies or government organizations. The emails contained custom logos; realistic privacy disclosure statements; spoofed sender addresses; and other details to appear as legitimate as possible. Attached to the emails were Microsoft Office files mimicking legitimate tax documents and displaying intentionally blurred image previews. The victims were in fact lured into enabling the macros in order to view the content of the given file. However, once the macros were enabled by the user and the file was reopened, an executable was created through a set of routines from arrays embedded in the Microsoft Office attachment. This executable would then run Remcos silently in the background and provide the attacker with a platform where to observe the user or conduct further malicious activity from.
While spear phishing emails and malicious attachments are nothing new to security professionals, the latest attacks with Remcos are both sophisticated and well executed.The attackers involved with these recent campaigns have been going to great lengths to craft very realistic spear phishing emails that have misled multiple targets. Additionally, some security appliances may not initially detect these malicious attachments due to the fact that the Remcos executable is obfuscated by the use of arrays to store and assemble the source code. And to make matters worse, because the Remcos RAT is sold as ethical hacking software, many endpoint protection vendors do not even include the Remcos file hashes in their malware definitions.
Proficio Threat Intelligence Recommendations:
- Disable Microsoft Office macros.
- Conduct spear phishing awareness training sessions with employees.
- Update security appliances definitions to include Remcos IoCs.
Talos Intelligence – Click Here