Remcos is advertised as a legitimate remote administration tool used for surveillance and penetration testing purposes; however, threat actors weaponize it as a remote access trojan (RAT) to gain unauthorized access, steal credentials, capture and exfiltrate data, and install additional malware such as keyloggers, spyware, and ransomware. Throughout September and October, the NJCCIC observed a rise in Remcos RAT campaigns targeting New Jersey State employees with lures of quotations, payment advice, supplies, orders, deliveries, and urgent inquiries. The emails include an attachment labeled with one of the lures, followed by an optional “PDF” label to appear as a legitimate Adobe PDF file, and appended with a RAR or GZ file type extension. The files contain compressed VBScripts that, when clicked, install the malicious Remcos RAT. Researchers discovered similar Remcos RAT campaigns utilizing attachments with ZIP, SVG, and GZ file type extensions to drop BAT files that execute obfuscated PowerShell scripts.

The NJCCIC also received a report that a downloaded file appeared to be a PDF file. Once the malware was installed, it started messaging others to spread the same file. The local security software blocked an outbound connection attempt from a malicious executable called “WINDBVER” to a command and control (C2) server on IP address 108[.]181[.]121[.]140. VirusTotal flagged this IP address as malicious and associated it with Remcos RAT activity in the past month.

Recommendations

• Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
• Exercise caution with communications from known senders.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Navigate to official websites by manually typing official website URLs into browsers, and only submit account credentials and sensitive information on official websites.
• Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Keep systems up to date and apply patches after appropriate testing.
• Run updated and reputable anti-virus or anti-malware programs.
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.