{"id":6369,"date":"2021-06-02T09:48:48","date_gmt":"2021-06-02T16:48:48","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6369"},"modified":"2024-08-07T12:22:22","modified_gmt":"2024-08-07T19:22:22","slug":"remcosrat-malspam-campaign-spoofs-uae-machinery-company-correspondence","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/remcosrat-malspam-campaign-spoofs-uae-machinery-company-correspondence\/","title":{"rendered":"RemcosRAT Malspam Campaign Spoofs UAE Machinery Company Correspondence"},"content":{"rendered":"

Author: Nick Sundvall<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

On 23 May, we observed a malspam campaign distributing a ZIP file containing Remcos, a remote access trojan (RAT) designed to remotely control a victim\u2019s computer. The campaign\u2019s email subjects attempted to gain the victim\u2019s trust by impersonating a legitimate United Arab Emirates company called Al Salehi Machinery & Equipment Repairing.<\/p>\n

We have previously reported on various Remcos campaigns, including one distributing the malware via malicious RTF files in 2019 and another via malicious XLS files in 2020.[1]<\/sup>,[2]<\/sup><\/p>\n

Customer Impact<\/h3>\n

A German company called Breaking Security has been offering Remcos for sale online since 2016.[3]<\/sup> There is currently a free version available with limited features, as well as a paid version starting at 58 Euros. While it is marketed as a legitimate remote administration tool, it is frequently abused by threat actors and used for malicious purposes.<\/p>\n

Breaking Security actively maintains and updates Remcos. Its capabilities include remotely controlling infected computers, logging keystrokes, taking screenshots and more.\u00a0<\/strong><\/p>\n

Campaign Analysis<\/h3>\n

The threat actor behind this campaign used the email subject RE: Stanadyne Enquiry<\/em>, imitating a conversation between Al Salehi Machinery & Equipment Repairing and Stanadyne, a fuel pump manufacturer. The emails included links to a legitimate website for Al Salehi, as well as their Facebook and LinkedIn pages. The sender\u2019s address, purchase@alsalehi[.]ae<\/em>, also adds legitimacy to the emails.<\/p>\n

Attached to the emails is a ZIP file named Al Salehi Machinery & Equipment Repairing Enquiry.zip<\/em>, containing the malicious Remcos executable Al Salehi Machinery & Equipment Repairing Enquiry.exe<\/em>.<\/p>\n

Attack Chain<\/h3>\n

Upon opening the attached ZIP file, the victim is able to extract the malicious EXE – Al Salehi Machinery & Equipment Repairing Enquiry.exe<\/em> – from the archive. Running the EXE initiates the Remcos RAT.<\/p>\n

From here, Remcos reaches out to Google and Bing before finally contacting its command and control (C&C) server. The threat actor then gains remote control of the computer and is able to run additional commands and send new payloads.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Malspam email campaigns are a common distribution method for phishing scams. Infoblox therefore recommends the following precautions to avoid phishing attacks:<\/p>\n