Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign

In the late summer of 2020, the Bitdefender Active Threat Control team noticed a surge of Remcos malware, with most of the attacks taking place in Colombia. While the malware family has been known for quite a while to cyber-criminals and malware researchers alike, this new campaign captured our attention as it arrived on the victims’ computers via phishing e-mails related to financial services and COVID-19 information.
Malicious use of Remcos dates back to 2017, as this Remote Access Trojan has been largely used by both commercial and advanced threat actors (such as Gorgon or APT33). Unlike previous campaigns, the attack in Colombia leverages several interesting tactics:
- it uses the Coronavirus pandemic to lure victims into opening the spam message and running the initial malware;
- it uses additional payloads hard-coded in images through steganography. The images laced with malware are posted on a popular viral images website to evade blacklists;
- comes with several anti-reverse-engineering tricks to keep antimalware labs busy.
Privacy impact
By nature, Remote Access Trojans are major security threats as they allow attackers to gain complete control of the victim’s device and data, including access to sensors such as the webcam or microphone.
User credentials or data stored on the system may land in the wrong hands and used further to gain access to other accounts or to blackmail the victim.
tags
Author
Right now
Top posts
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
December 06, 2022
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
October 05, 2022
A Red Team Perspective on the Device42 Asset Management Appliance
August 10, 2022
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021