A sophisticated malware campaign targeting South Korean users has emerged, distributing the Remcos remote access trojan (RAT) through deceptive installers disguised as legitimate VeraCrypt encryption software.
This ongoing attack campaign primarily focuses on individuals connected to illegal online gambling platforms, though security experts warn that everyday users downloading encryption tools may also fall victim to the scheme.
The threat actors behind this operation are using two distinct distribution methods to spread the malicious payload.
The first approach involves fake database lookup programs that appear to check blocklists for gambling site accounts, while the second masquerades as genuine VeraCrypt utility installers.
.webp "Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials 2")
Both distribution channels have been observed delivering malware through web browsers and messaging platforms like Telegram, using filenames such as “*****usercon.exe” and “blackusernon.exe” to deceive unsuspecting victims.
ASEC analysts identified that once executed, the fake installers deploy malicious VBS scripts hidden within their resource sections.
These scripts are written to the system’s temporary directory with randomized filenames before being activated.
The malware then initiates a complex infection chain involving multiple stages of obfuscated VBS and PowerShell scripts, ultimately delivering the Remcos RAT payload that gives attackers complete remote control over compromised systems.
The impact of this campaign extends beyond simple unauthorized access.
Remcos RAT is equipped with extensive data theft capabilities including keylogging, screenshot capture, webcam and microphone control, and credential extraction from web browsers.
Victims infected with this malware face significant risks of having their sensitive personal information, login credentials, and financial data compromised and transmitted to the attackers’ command-and-control servers.
Multi-Stage Infection Chain and Payload Delivery
The attack employs a sophisticated eight-stage infection process designed to evade detection by security software.
After the initial dropper executes, the malware progresses through five scripted downloader stages using obfuscated VBS and PowerShell scripts with misleading file extensions.
These intermediate scripts contain dummy comments, junk data, and files masquerading as JPG images while actually embedding Base64-encoded malicious payloads.
.webp "Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials 4")
The infection chain culminates with a .NET-based injector that communicates with attackers via Discord webhooks.
This injector downloads the final Remcos RAT payload from remote servers, decrypts it, and injects it directly into the AddInProcess32.exe process to maintain persistence.
Notably, security researchers discovered that some variants use Korean-language strings in their configuration settings and registry keys, indicating the campaign’s targeted nature toward Korean-speaking users.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
