Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 11/05/2022

11th of May 2022 - Winners of the 19th week : Redline, NjRAT and Agent Tesla.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

11/05/2022

Distribution :

TLP : WHITE  

What's new?

Remcos (ID Mitre: S0332)

Password protected Excel files used to drop the Remcos RAT

#Remcos RAT , a commercial software sold online, was originally designed as a professional tool to #control Microsoft Windows computers remotely. This RAT is recognized as a malware family as it has been misused by hackers to secretly control victims' devices since its first release on July 21, 2016.

Brad Duncan from #Malware-traffic-analysis.net recently analyzed a #phishing email that will lead to #Remcos V3 . Containing the password in clear text of a password protected attachment, the infection starts when the user opens the document and enables the macro. A macro will then initiate a communication with the #C2 server of the Remcos malware.

Following this communication, a #vbs file generated from the C2 server response will be created in the folder used for automatic program startup under the Windows environment. A #registry key is also updated, containing a license key for the Remcos software.

Finally, a #keylogger is launched, to retrieve user activity.

https://isc.sans.edu/diary/rss/28616

 

Download the report

 

 

Print Email