Friday, November 8, 2024
HomeComputer SecurityMultiple Malware Campaigns Distributing Remcos RAT Via Malicious Excel and Word Documents

Multiple Malware Campaigns Distributing Remcos RAT Via Malicious Excel and Word Documents

Published on

Malware protection

Multiple malware campaigns attempting to install Remcos RAT on victim’s machines to gain access to the system. Attackers delivering the malware through Excel spreadsheets and Word documents.

Remcos remote access tool offered for sales by a company called Breaking Security and the license ranges from €58.00 to €389.00 based on the license. The tool contains a number of surveillance functions.

It was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, the RAT gives complete remote access to the attacker and it is supported from Windows XP to all versions including server editions.

- Advertisement - SIEM as a Service

Researchers from Cisco spotted several malware campaigns that attempt to install the RAT on various endpoints. The RAT gives everything that attacker required to run an illegal bot.

Remcos RAT Distribution

Remcos advertised on various underground forums which allows threats actors to leverage this malware to launch a variety of attacks to infect the system.

Earlier this year threat actors targeted defense contractors in Turkey with Remcos, Talos now confirmed the attacker also targeting the following organizations.

  • International news agencies
  • Diesel equipment manufacturers and service providers operating within the maritime and energy sector
  • HVAC service providers operating within the energy sector
The attack starts with a well-crafted spear phishing email that poses to be from the Turkish government agency related to tax reporting for the victim’s organization and the email contains malicious Microsoft Office and Excel documents attached.
Remcos RAT

Talos observed most of the documents are blurred and contains unclear images to lure victim’s to enable macros and view the content.

Remcos RAT

The macro in this file contains an executable when executed the macros reconstruct the executable and save in the %Temp% or %AppData% locations.

Remcos RAT
The Executable then downloads the Remcos malware which gives an attacker a complete control over the victim’s machine. The Remcos RAT is capable of monitoring keystrokes, take remote screen captures, manage files, execute commands on infected systems and more.

“Organizations should ensure that they are implementing security controls to combat Remcos, it is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to.”

Also Read

Beware !! Dangerous RAT’s Called “Adwind, Remcos, Netwire” Delivering via A360 Cloud Drive

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

AdvisorsBot Malware Attack on Hotels, Restaurants, and Telecommunications Via Weaponized Word Document

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...