Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 11/04/2022

11th of April 2022 - Winners of the 15th week : Redline, NjRAT and Emotet.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

11/04/2022

Distribution :

TLP : WHITE  

What's new?

Remcos (ID Mitre: S0332)

The Latest Remcos RAT Driven By Phishing Campaign

#FortiGuard Labs team analyzed a new campaign related to the latest version of #infostealer , #Remcos RAT (Remote Access Trojan).

In this campaign, threat actors try to establish initial access through phishing attachment related to a banking pay notification to lure victims. The email impersonates a trusted bank which delivers a password protected #Microsoft Excel file. This attachment will download the final payload with #Remcos  through #Visual Basic and #Powershell scripts, that will be running into a #RegAsm.exe process.

#Remcos continues to improve itself with the version 3.4.0 Pro replacing #RC4 by #AES-128 encryption. This encryption is used for configuration block where are stored #C2 information but also for the name attributed to the victim by #Remcos and many other flags used by the malware to start remotely automatic actions.

Even if #Remcos is considered as a malware because it is massively used by threat actors to remote control victims, it is a legitimate and commercial software sold on the main market since 2016.

https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing

 

Download the report

 

 

Print Email