In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.
The attackers behind this campaign aimed to infect victims’ systems with the notorious “Remcos” malware, known for its versatility in malicious activities.
Remcos is categorized as a Remote Access Trojan (RAT), granting attackers complete control over compromised computers. This control allows them to carry out various malicious actions, including data theft, further malware installations, and the hijacking of user accounts.
Attack’s Modus Operandi
Fraudulent Email: Attackers initiated the campaign by sending deceptive emails impersonating trusted entities like banks or Colombian companies. These emails typically contained urgent messages, unpaid debts, or enticing offers.
Email Attachment: The emails included seemingly harmless attachments, often in ZIP or RAR file formats, claiming to contain essential documents or invoices.
Hidden Commands: Within the archive files were highly obfuscated Batch (BAT) files. When executed, these BAT files ran PowerShell commands, also obfuscated, creating a multi-layered obfuscation to evade security solutions.
Loading .NET Modules: These instructions caused the victim’s computer to load two critical components necessary for the subsequent stages of the attack.
Protect your Business Email from threats like tracking, blocking, modifying, phishing, account takeover, business email compromise, malware, and ransomware with Trustifi’s AI-powered email security solution.
First .NET Module: Evasion and Unhooking: The first component aimed to disable and deceive the computer’s security mechanisms, preventing the detection of malicious activities.
Second .NET Module: Loading “LoadPE” and Remcos: This part dynamically loaded another component named “LoadPE” from file resources. “LoadPE” was responsible for reflective loading, allowing the Remcos malware to be loaded directly into memory without being stored on disk.
Reflective Loading with “LoadPE”: Using “LoadPE,” attackers loaded the final payload, the Remcos malware, into memory. This reflective loading technique further evaded traditional antivirus and endpoint security solutions.
The Final Payload: Remcos – Swiss Army Knife RAT: With Remcos successfully loaded into memory, the attackers gained full control over the compromised system, enabling a wide range of malicious activities, including unauthorized access, data theft, keylogging, and remote surveillance.
The detailed technical research by Check Point Research provides insights into the complexity of this attack’s execution, focusing on evasion techniques and deobfuscation procedures used by the malicious actors.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.