New Stealthy Remcos Malware Campaigns Target Businesses and Schools – Source:hackread.com https://ciso2ciso.com/new-stealthy-remcos-malware-campaigns-target-businesses-and-schools-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #Forcepoint #Hackread #Phishing #security #malware #Remcos

New: #Remcos malware is back with stealthy phishing campaigns hitting businesses and schools using tricky path bypass with spoofed and hacked emails.

Details here: https://hackread.com/remcos-malware-campaigns-hit-businesses-and-schools/

New #phishing campaign uses #DBatLoader to drop #Remcos RAT.
The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to #VirusTotal

Execution chain:
#Phish Archive DBatLoader CMD SndVol.exe (Remcos injected)

#ANYRUN allows analysts to quickly uncover stealth techniques like LOLBAS abuse, injection, and UAC bypass, all within a single interactive analysis session. See analysis: https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice

Key techniques:
#Obfuscated with #BatCloak .cmd files are used to download and run #payload.
Remcos injects into trusted system processes (SndVol.exe, colorcpl.exe).
Scheduled tasks trigger a Cmwdnsyn.url file, which launches a .pif dropper to maintain persistence.
Esentutl.exe is abused via LOLBAS to copy cmd.exe into the alpha.pif file.
UAC bypass is achieved with fake directories like “C:\Windows “ (note the trailing space), exploiting how Windows handles folder names.

This threat uses multiple layers of stealth and abuse of built-in Windows tools. Behavioral detection and attention to unusual file paths or another activity are crucial to catching it early. #ANYRUN Sandbox provides the visibility needed to spot these techniques in real time

Watch out for ZIP and shortcut files on #Windows as attackers are using fake PDF icons to trick users into installing #Remcos trojan and take over computers.

Read: https://hackread.com/fileless-remcos-rat-attack-antivirus-powershell-scripts/

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge – Source:hackread.com https://ciso2ciso.com/fakeupdates-remcos-agenttesla-top-malware-charts-in-stealth-attack-surge-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #FakeUpdates #AgentTesla #Hackread #security #malware #Remcos

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge https://hackread.com/fakeupdates-remcos-agenttesla-malware-attack-charts/ #Cybersecurity #CyberAttack #FakeUpdates #AgentTesla #Security #Malware #Remcos

Gamaredon Campaign Detection: russia-backed APT Group Targets Ukraine Using LNK Files to Spread Remcos Backdoor – Source: socprime.com https://ciso2ciso.com/gamaredon-campaign-detection-russia-backed-apt-group-targets-ukraine-using-lnk-files-to-spread-remcos-backdoor-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Latestthreats #socprimecom #Gamaredon #Phishing #socprime #Remcos #Blog #APT

#MalspamMonday

Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.

Today, I found an example of #GuLoader for #Remcos #RAT

Details at https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt

Social media post I wrote about #RemcosRAT for my employer at https://www.linkedin.com/posts/unit42_remcos-rat-keylogger-activity-7304958245322768385-tu-a/ and https://x.com/malware_traffic/status/1899207006939947440

2025-03-10 (Monday): #Remcos #RAT activity. Email distribution used a zip archive attachment with a .7z file extension. During a test infection, we saw indicators of a #Keylogger and a Hacking tool to view browser passwords.

More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt

A #pcap of the infection traffic and the associated #malware files are available at https://malware-traffic-analysis.net/2025/03/10/index.html

Remcos RAT Malware Evolves with New Techniques – Source: www.infosecurity-magazine.com https://ciso2ciso.com/remcos-rat-malware-evolves-with-new-techniques-source-www-infosecurity-magazine-com/ #rssfeedpostgeneratorecho #InfoSecurityMagazine #InfosecurityMagazine #CyberSecurityNews #Remcos

New Remcos RAT Variant Targets Windows Users Via Phishing – Source: www.infosecurity-magazine.com https://ciso2ciso.com/new-remcos-rat-variant-targets-windows-users-via-phishing-source-www-infosecurity-magazine-com/ #rssfeedpostgeneratorecho #InfoSecurityMagazine #InfosecurityMagazine #CyberSecurityNews #Remcos

Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows – Source:hackread.com https://ciso2ciso.com/hackers-use-excel-files-to-deliver-remcos-rat-variant-on-windows-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #Microsoft #Hackread #security #malware #Windows #Remcos #Excel #RAT

Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows https://hackread.com/hackers-use-excel-files-remcos-rat-variant-windows/ #Microsoft #Security #Malware #Windows #Remcos #Excel #RAT

CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

Fake Hot Fix for CrowdStrike ”crowdstrike-hotfix.zip” Spreads Remcos RAT https://hackread.com/fake-hot-fix-crowdstrike-crowdstrike-hotfix-zip-remcos-rat/ #Cybersecurity #PhishingScam #CrowdStrike #Security #security #Malware #Remcos #Scam