Monday, March 4, 2024

Multiple Malware Campaigns Distributing Remcos RAT Via Malicious Excel and Word Documents

Multiple malware campaigns attempting to install Remcos RAT on victim’s machines to gain access to the system. Attackers delivering the malware through Excel spreadsheets and Word documents.

Remcos remote access tool offered for sales by a company called Breaking Security and the license ranges from €58.00 to €389.00 based on the license. The tool contains a number of surveillance functions.

It was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, the RAT gives complete remote access to the attacker and it is supported from Windows XP to all versions including server editions.

Researchers from Cisco spotted several malware campaigns that attempt to install the RAT on various endpoints. The RAT gives everything that attacker required to run an illegal bot.

Remcos RAT Distribution

Remcos advertised on various underground forums which allows threats actors to leverage this malware to launch a variety of attacks to infect the system.

Earlier this year threat actors targeted defense contractors in Turkey with Remcos, Talos now confirmed the attacker also targeting the following organizations.

  • International news agencies
  • Diesel equipment manufacturers and service providers operating within the maritime and energy sector
  • HVAC service providers operating within the energy sector
The attack starts with a well-crafted spear phishing email that poses to be from the Turkish government agency related to tax reporting for the victim’s organization and the email contains malicious Microsoft Office and Excel documents attached.
Remcos RAT

Talos observed most of the documents are blurred and contains unclear images to lure victim’s to enable macros and view the content.

Remcos RAT

The macro in this file contains an executable when executed the macros reconstruct the executable and save in the %Temp% or %AppData% locations.

Remcos RAT
The Executable then downloads the Remcos malware which gives an attacker a complete control over the victim’s machine. The Remcos RAT is capable of monitoring keystrokes, take remote screen captures, manage files, execute commands on infected systems and more.

“Organizations should ensure that they are implementing security controls to combat Remcos, it is a robust tool that is being actively developed to include new functionality increasing what the attackers can gain access to.”

Also Read

Beware !! Dangerous RAT’s Called “Adwind, Remcos, Netwire” Delivering via A360 Cloud Drive

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

AdvisorsBot Malware Attack on Hotels, Restaurants, and Telecommunications Via Weaponized Word Document


Latest articles

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles