Author: Nick Sundvall
On 23 May, we observed a malspam campaign distributing a ZIP file containing Remcos, a remote access trojan (RAT) designed to remotely control a victim’s computer. The campaign’s email subjects attempted to gain the victim’s trust by impersonating a legitimate United Arab Emirates company called Al Salehi Machinery & Equipment Repairing.
We have previously reported on various Remcos campaigns, including one distributing the malware via malicious RTF files in 2019 and another via malicious XLS files in 2020.,
A German company called Breaking Security has been offering Remcos for sale online since 2016. There is currently a free version available with limited features, as well as a paid version starting at 58 Euros. While it is marketed as a legitimate remote administration tool, it is frequently abused by threat actors and used for malicious purposes.
Breaking Security actively maintains and updates Remcos. Its capabilities include remotely controlling infected computers, logging keystrokes, taking screenshots and more.
The threat actor behind this campaign used the email subject RE: Stanadyne Enquiry, imitating a conversation between Al Salehi Machinery & Equipment Repairing and Stanadyne, a fuel pump manufacturer. The emails included links to a legitimate website for Al Salehi, as well as their Facebook and LinkedIn pages. The sender’s address, purchase@alsalehi[.]ae, also adds legitimacy to the emails.
Attached to the emails is a ZIP file named Al Salehi Machinery & Equipment Repairing Enquiry.zip, containing the malicious Remcos executable Al Salehi Machinery & Equipment Repairing Enquiry.exe.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.