Remcos Rat

Remcos RAT is a fully functional Remote Access Trojan (RAT) malware, which has been increasingly deployed using creative techniques to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without being detected. Notably, the EXE payload of Remcos RAT employs null byte injection, a method used to evade detection by security products. The malware is commonly distributed via malicious Microsoft Office documents named Quotation.xls or Quotation.doc, likely attached to spam emails. Once activated, the executable initiates subsequent attack stages. Over the past year, Remcos RAT spyware has targeted organizations in Eastern Europe and accountants in the United States. It leverages an old Windows User Account Control (UAC) bypass technique and has also been involved in campaigns ahead of tax filing deadlines in the U.S. Earlier this year, a threat actor known as UNC-0050, notorious for targeting Ukrainian organizations with Remcos RAT, was discovered launching a novel attack on Ukraine's government using a rare data transfer tactic. A specific campaign discovered in January uses a unique infection routine involving a piece of code tagged "racon". This code fetches the second-stage payload and performs connectivity checks and campaign analytics. The loader locates and extracts the Remcos RAT code, smuggled onto a victim machine within the IDAT block of an embedded steganographic .PNG image. In this campaign, the downloaded payloads are remote access trojans, specifically Async RAT and Remcos RAT. The use of the same beacon IP addresses by both Remcos RAT and Quasar RAT malware samples suggests a connection between these threats.