Author: Jeremy Ware
TLP: WHITE
During the week of 9 November, we discovered a malspam campaign distributing the Remcos remote access trojan (RAT). The emails in this campaign carried malicious Microsoft Office documents that required the user to enable macros to execute the Remcos payload.
Remcos can control systems and cameras, act as a proxy for internet traffic, perform screen captures remotely, check browser cache and settings, and search files for password stores. It also includes a command-line interface (CLI) for full remote control.
The campaign we observed uses lures mentioning purchase orders or lists in the subject line (Re: Item request list from Medigas SRL) and file name (Item List 09112020.xls). The emails all had the same subject line, file name and sender data, and the body of the message was empty.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
