Remcos RAT Archives

Remcos RAT Malware Attacks Increase in Q3 2024

malicious downloads, Ophtek, phishing_email, PowerShell script, RAT, Remcos RAT, Remote Access Trojanmalicious downloads, Ophtek, phishing email, PowerShell Script, RAT, Remcos RAT, remote access trojanOphtek, LLC

Jan 2025

Malware has a habit of going through periods of intense activity, and this is exactly what the Remcos RAT malware has been up to in Q3 2024.

First detected in 2016, Remcos is somewhat of a veteran of the malware scene, but its activity has ramped up significantly throughout 2024. Reaching a peak during Q3 2024, Remcos has the potential to take control of infected machines remotely, hence the Remote Access Trojan (RAT) attachment to its name. This remote access allows the threat actors behind this latest campaign to both harvest data and monitor PC activities in real time. RATs are nothing new in the world of cybersecurity, but any notable surges in activity are always cause for concern.

To help protect your PCs from falling into the clutches of Remcos, we’re going to dive into the story behind it – and RATs in general – to uncover how they work.

Understanding RATs

The concept of a RAT is simple: they give a threat actor unauthorized remote access to a PC. First detected way back in the 1970s, a RAT is a strain of malware which threat actors use to take control, silently and discreetly, of your PCs.

With a RAT installed, the attackers can quickly gain access to all of your data and applications e.g. passwords, webcams, and microphones. This puts your organization at risk of falling victim to espionage and having your secure data compromised. Typically, RATs are spread via phishing emails or malicious downloads.

Behind the Scenes of Remcos’ Latest Attacks

The current Remcos campaign is interesting as, following investigation by McAfee researchers, it’s been discovered that two Remcos variants are currently active. The first Remcos variant uses a PowerShell script to download malicious files from a remote server and then inject it into a genuine Microsoft tool (RegASM.exe) to help conceal it. The second variant of Remcos is transmitted through phishing emails and exploits a known vulnerability (CVE-2017-11882) to give threat actors remote access.

Both variants are particularly virulent and persistent, with a number of innovative design features ensuring that they remain evasive and can operate under the radar. Remcos encodes its data in Base64 to avoid suspicion and also makes a point of not leaving any additional files on infected hard drives. Furthermore, Remcos edits the registry and startup folders in a way which enables it to load back up on every reboot.

Outsmarting Remote Access Trojans

Luckily, you don’t have to fall victim to Remcos or any other RAT attacks as Ophtek has your back. To help you get your defenses optimized, we’re going to share the three best ways to RAT-proof your IT infrastructure:

Use Antivirus and Keep Software Updated: Make sure all your PCs are protected by strong antivirus software – such as Kaspersky or AVG – which checks for malicious files in real-time. Alongside this measure, regularly update all your PC software to prevent hackers from exploiting vulnerabilities.

Be Cautious of Suspicious Emails: It’s critical that all your staff are mindful of the most identifiable signs of phishing emails. Dedicate part of your IT inductions to highlighting the danger of clicking on unexpected email links or attachments, and carry out refreshers on a regular basis. Ultimately, if an employee receives an email which looks slightly strange, they should always check this with an IT professional before taking action.

Practice Strong Password Security: One of the simplest ways to protect your IT systems is by using unique and strong passwords for your PCs and servers. Also, use multifactor authentication where possible, this means that even if an attacker obtains your passwords, there’s a further layer of security standing in their way.

For more ways to secure and optimize your business technology, c ontact your local IT professionals.

Infected GitHub Links Target Financial Services

GitHub, online links, Ophtek, Phishing Email, Remcos RAT, Remote Access Trojan, security softwareGitHub, online links, Ophtek, phishing email, Remcos RAT, remote access trojan, security softwareOphtek, LLC

Nov 2024

A new malware campaign, targeting finance and insurance sectors, is using infected GitHub repositories to distribute the Remcos remote access trojan (RAT).

GitHub is an online platform which allows software developers to store and share code online. It’s like an online hard drive, but one which is specifically dedicated to coding projects. It’s main use is to foster collaboration between developers and track changes in their code as it evolves. However, as it’s a trusted source, it makes it the perfect target for hackers. On this occasion, the threat actors haven’t been starting malicious repositories. Instead, they’ve been taking advantage of the comments section in legitimate repositories.

The Dangers of GitHub Comments

The GitHub attack in question appears to be targeting genuine open-source repositories, with those affected including HMRC, Inland Revenue, and UsTaxes. These are well-known and trusted repositories. Users wouldn’t expect to be infected by malware visiting these, whereas lesser known and newer repositories pose more of an obvious risk. So, how are the threat actors compromising these accounts? Well, they’re uploading malware files into the comments section.

Although the comment is deleted, the link to file stays in place. Phishing emails are then used to redirect users to the infected link on GitHub. Again, as GitHub is a genuine, trusted platform, these phishing emails are not detected as being suspicious. This puts the recipient at risk of unknowingly downloading and executing the Remcos RAT. This RAT allows threat actors to remotely take control of an infected PC. From here, they can steal your data, execute further commands on your system, and monitor all your activity. This makes the attack highly dangerous and follows in the footsteps of numerous GitHub attacks in the last year.

Staying Safe from Malicious Comments

Your employees may not have anything to do with software development, but the Remcos RAT relies on phishing techniques which could easily deceive them. Therefore, you need to ensure your employees stay safe from this innovative threat. The best way to achieve this is by following these best practices:

Identify Phishing Emails: It’s important that you team understand how to identify a phishing email. These can be highly convincing and often use language of an urgent nature to force recipients into taking actions without thinking. Educating your staff on these telltale signs will minimize the risk of their PCs becoming compromised by malware.
Be Suspicious of Online Links: Whether a link is contained within an email or on a trusted website, you should always be suspicious. These links can often hide malicious content, and this can then be used by threat actors to steal personal data or take control of your PC. Always verify a link with an IT professional before clicking on it.
Use Security Software: You can protect your PCs from malicious links by using security software such as AVG or McAfee. These tools actively scan web traffic and block access to known dangerous sites. They also detect suspicious behaviors, like phishing attempts, and pre-warn you about malicious links, all in real-time. By filtering out harmful content and preventing access to malicious websites, the risk of malware infections is significantly reduced.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Tag Archives: Remcos RAT