Hackers Deliver Remcos RAT as Weaponized PDF Payslip Document

AhnLab Security Emergency Response Center (ASEC) has recently revealed a disturbing case of Remcos RAT, a malicious software that can remotely access and manipulate infected machines. 

The attackers behind this malware used a clever email scam that pretended to be a payslip to trick the recipients into opening a compressed CAB file that contained the Remcos RAT disguised as a PDF file.

Remcos RAT to enter the target's systemRemcos RAT to enter the target's system
Remcos RAT to enter the target’s system

This sneaky trick allowed the Remcos RAT to enter the target’s system, giving the attacker a lot of malicious options. 

The Remcos RAT, once run, has many intrusive capabilities. It can log keystrokes, take screenshots, control webcams and microphones, and execute various actions as per the attacker’s commands. 

It can also steal sensitive data, such as browsing histories and stored passwords, from the victim’s system.

Remcos RATRemcos RAT
Remcos RAT

Interestingly, the Remcos RAT stays inactive until it gets commands from the attacker’s command and control (C2) server. 

This helps it evade detection by security systems. However, it has a unique feature that makes it different from typical remote-access trojans. 

The Remcos RAT has an offline keylogger that starts working right after infection without needing a command from the C2 server. 

This creates a weakness that can be used for detection, especially with sandbox devices.

Various control features of the Remcos RAT’s remote control server (Remcos v2.6.0

The offline keylogger in the Remcos RAT works by using the SetWindowHookExA API and installing a hook procedure to monitor keyboard input events through the WH_KEYBOARD_LL argument.

AhnLab’s MDS sandbox environment successfully detects the malicious behavior of this offline keylogger.

This feature helps to identify the Remcos RAT’s presence even before it connects with the C2 server.

Remcos RAT malware detected using AhnLab MDS (2)

To conclude, Remcos RAT is a serious threat that can do a lot of harm. Its unique offline keylogger feature offers a chance for detection, making it important for security administrators to use advanced threat prevention solutions, such as MDS, and to carefully monitor endpoint environments for any unusual behaviors using products like EDR. 

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

ThreatBook Recognized as a Notable Vendor in Global Network Analysis and Visibility (NAV) Report

ThreatBook, a global leader cyber threat and response solutions backed by threat intelligence and AI,…

3 hours ago

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party JavaScript…

15 hours ago

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs to…

15 hours ago

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate payroll…

15 hours ago

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some reports),…

16 hours ago

71 Fake Websites Impersonating German Retailer to Steal Payment Information

Recorded Future Payment Fraud Intelligence has uncovered a sprawling network of 71 fraudulent e-commerce domains…

16 hours ago