Over the past two months, Check Point researchers have identified and investigated a new large-scale phishing campaign that recently targeted more than 40 prominent companies across multiple industries in Colombia. The attackers' goal was to install the infamous "Remcos" malware on the victims' computers.
Remcos, a sophisticated "Swiss Army Knife" RAT, gives attackers full control of the infected computer and can be used in various attacks. Common consequences of a Remcos infection include data theft, tracking infections and account takeover.
Remote Access Trojans (RATs) are malware designed to allow a hacker to remotely control an infected computer. Once the RAT is executed on a compromised system, the attacker can send commands and receive responses.
The results of a Remcos infection usually include data theft, invasion of other malware and hijacking of users' accounts.
Flow of attack
- Lollipop email: Attackers start by sending fake emails that look like they come from trusted sources, such as banks or companies in Colombia. These emails may talk about urgent matters, unpaid debts or exciting offers.
- Attached email: Inside these emails, there is a file that looks harmless, such as a ZIP or RAR file. It says it has important documents or invoices to pique your interest.
- Hidden commands: The archive file contains a highly obfuscated Batch (BAT) file. At runtime, the BAT file executes PowerShell commands that are also highly obfuscated. This multi-level obfuscation makes it difficult for security solutions to detect and analyze the malicious payload.
- Loading .NET modules: the instructions make your computer load two important parts that are like tools. These modules are necessary for the later stages of the attack.
- First module.NET: Evasion and Unhooking: the job of the first tool is to hide and fool your computer's defenses. It tries to disable security features so that the bad stuff doesn't get caught.
- Second .NET module: Loading "LoadPE" and Remcos: The second .NET module dynamically loads another component called "LoadPE" from the file resources. "LoadPE" is responsible for reflective loading, a technique that allows loading a Portable Executable (PE) file (in this case, the Remcos malware) directly to memory without having to to be stored at disk.
- Reflective Loading with "LoadPE": Using the "LoadPE" component, attackers load the final payload, the Remcos malware, directly from their resources into memory. This reflective loading technique further enhances the malware's ability to evade traditional antivirus and endpoint security solutions, as it bypasses typical detection mechanisms based on Archives.
- The final payload: Remcos: With the successful loading of the Remcos malware into memory, the attack is now complete. Remcos, a powerful Remote Administration Tool (RAT), provides attackers with the full control of compromised system. It serves as a Swiss army knife for attackers, allowing them to perform a wide range of malicious activities, such as unauthorized access, data exfiltration, keylogging, remote monitoring and more.
In the full technical investigation, the Report of researchers delves into the details of the attack, highlighting the hidden techniques used by the malicious attackers to effectively execute their campaign.
Source of information: blog.checkpoint.com
