phishing_email Archives

Remcos RAT Malware Attacks Increase in Q3 2024

malicious downloads, Ophtek, phishing_email, PowerShell script, RAT, Remcos RAT, Remote Access Trojanmalicious downloads, Ophtek, phishing email, PowerShell Script, RAT, Remcos RAT, remote access trojanOphtek, LLC

Jan 2025

Malware has a habit of going through periods of intense activity, and this is exactly what the Remcos RAT malware has been up to in Q3 2024.

First detected in 2016, Remcos is somewhat of a veteran of the malware scene, but its activity has ramped up significantly throughout 2024. Reaching a peak during Q3 2024, Remcos has the potential to take control of infected machines remotely, hence the Remote Access Trojan (RAT) attachment to its name. This remote access allows the threat actors behind this latest campaign to both harvest data and monitor PC activities in real time. RATs are nothing new in the world of cybersecurity, but any notable surges in activity are always cause for concern.

To help protect your PCs from falling into the clutches of Remcos, we’re going to dive into the story behind it – and RATs in general – to uncover how they work.

Understanding RATs

The concept of a RAT is simple: they give a threat actor unauthorized remote access to a PC. First detected way back in the 1970s, a RAT is a strain of malware which threat actors use to take control, silently and discreetly, of your PCs.

With a RAT installed, the attackers can quickly gain access to all of your data and applications e.g. passwords, webcams, and microphones. This puts your organization at risk of falling victim to espionage and having your secure data compromised. Typically, RATs are spread via phishing emails or malicious downloads.

Behind the Scenes of Remcos’ Latest Attacks

The current Remcos campaign is interesting as, following investigation by McAfee researchers, it’s been discovered that two Remcos variants are currently active. The first Remcos variant uses a PowerShell script to download malicious files from a remote server and then inject it into a genuine Microsoft tool (RegASM.exe) to help conceal it. The second variant of Remcos is transmitted through phishing emails and exploits a known vulnerability (CVE-2017-11882) to give threat actors remote access.

Both variants are particularly virulent and persistent, with a number of innovative design features ensuring that they remain evasive and can operate under the radar. Remcos encodes its data in Base64 to avoid suspicion and also makes a point of not leaving any additional files on infected hard drives. Furthermore, Remcos edits the registry and startup folders in a way which enables it to load back up on every reboot.

Outsmarting Remote Access Trojans

Luckily, you don’t have to fall victim to Remcos or any other RAT attacks as Ophtek has your back. To help you get your defenses optimized, we’re going to share the three best ways to RAT-proof your IT infrastructure:

Use Antivirus and Keep Software Updated: Make sure all your PCs are protected by strong antivirus software – such as Kaspersky or AVG – which checks for malicious files in real-time. Alongside this measure, regularly update all your PC software to prevent hackers from exploiting vulnerabilities.

Be Cautious of Suspicious Emails: It’s critical that all your staff are mindful of the most identifiable signs of phishing emails. Dedicate part of your IT inductions to highlighting the danger of clicking on unexpected email links or attachments, and carry out refreshers on a regular basis. Ultimately, if an employee receives an email which looks slightly strange, they should always check this with an IT professional before taking action.

Practice Strong Password Security: One of the simplest ways to protect your IT systems is by using unique and strong passwords for your PCs and servers. Also, use multifactor authentication where possible, this means that even if an attacker obtains your passwords, there’s a further layer of security standing in their way.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Italian PC users have become the target of SambaSpy, a new strain of malware which appears to originate from Brazil and employs phishing emails.

First detected by Kaspersky in May 2024, SambaSpy currently only seems to have targeted PC users in Italy. This is unusual as threat actors tend to focus their attacks on a more global range to maximize potential victims. However, it’s being speculated that SambaSpy may be using Italy as a test run before going global. Regardless of its future plans, SambaSpy utilizes a multifunctional attack, and can log keystrokes, harvest data, take screenshots, download files, and take control of process management on infected PCs.

With its strong range of weaponry, SambaSpy represents a significant threat to PC users and needs investigating further.

Say Ciao to SambaSpy

The SambaSpy attack originates within a phishing email, one which contains either an embedded link or an HTML attachment. Once the HTML attachment has been activated, one of either a malware dropper or downloader is executed from a ZIP archive. The malware dropper will load the main payload of SambaSpy from the same ZIP archive whereas the downloader will retrieve it from a remote server. The dropper is used to retrieve the malware payload from a remote location. The embedded link route sends users on a convoluted journey to a malicious site hosting the downloader or dropper.

Once SambaSpy is fully activated, it has the potential to launch all of the attack threats previously mentioned. Therefore, it’s capable of compromising every single activity taking place on your PC. SambaSpy is also clever enough to load plugins when an infected PC starts up, this allows it to shape and change its activities as required. Also of note is that SambaSpy will actively seek out web browsers in order to steal data, putting login credentials and financial information at risk of being harvested.

The attack is believed to have originated from a Brazilian threat actor as one of the malicious webpages involved features JavaScript code with Brazilian Portuguese comments. A number of recent banking trojans – including BBTok and Mekotio – have recently targeted Latin American users with phishing scams, so there may be a connection between these and SambaSpy.

Navigating the Threat of SambaSpy

While SambaSpy has only been detected in Italy, this could change very quickly as the malware becomes more powerful and widespread. Therefore, to safeguard your PCs against this and other similar threats, you need to keep your team up to date with these best practices:

Always Scrutinize the Sender: if you don’t recognize the sender of an email, then this should immediately be cause for concern when attachments or embedded links are included. Also, many threat actors will fake genuine email addresses, but use slightly different spellings e.g. support@m1crosoft.com in order to lull you into a false sense of security. Additionally, if an email claims to be from a large company but is using a generic email address such as BankofAmerica@gmail.com, this is also likely to be a phishing email.
Identify Red Flags: phishing emails will often contain urgent language designed to provoke you into making an immediate response. These call-to-actions are often along the lines of “your account has been compromised” or “this update must be downloaded to secure your PC” to instill a sense of fear. Additionally, phishing emails often have numerous grammatical errors and poor spelling, so make sure you’re aware of these telltale signs.

For more ways to secure and optimize your business technology, contact your loc al IT professionals.

Category Archives: phishing_email