Security researchers discovered an attack campaign that abused fears surrounding the global coronavirus outbreak to deliver the Remcos RAT.Yoroi Security
detected the attack campaign when its threat intelligence activities uncovered a suspicious artifact named “CoronaVirusSafetyMeasures_pdf.”In their analysis, Yoroi’s researchers determined that the file established a TLS connection with file sharing platform “share.]dmca.]gripe” potentially in a bid to evade detection by next-fen firewalls.The attack leveraged this connection to download a file that wrote two additional files named “filename1.vbs” and “filename1.exe” to the “C:UsersSubfolder” system directory. The VBS script served as a launchpad for the executable, which established persistence by setting up a registry key.
The malware attack chain (Source: Yoroi Security)The campaign then proceeded with its malicious activity, as described by Yoroi in its research:Then, the malicious code stores sensitive information gathered from the monitoring of user keypress in a file named “logs.dat”, placed in the “%AppData%LocalTemponedriv” directory. Different from the default Remcos working directory.Finally, all the loot is sent to the remote command and control hosted at 220.127.116.11, operated by “Total server solutions LLC”, an US hosting provider operating since 2012.Researchers at Yoroi analyzed this network communication and found a “|cmd|” delimiter. This discovery them to conclude that the attack campaign’s final payload was a customized build of Remcos.After discovering
the RAT family back in February 2017, Fortinet
spotted a phishing campaign using several new spam samples of Remcos in October 2019.This isn’t the only instance in which digital attackers have abused the co ..