Social engineering and phishing once again worked perfectly, deceiving many local employees.
Cybersecurity researchers at Check Point identified a large-scale phishing campaign targeting more than 40 large companies in various sectors of the economy in Colombia.
The attackers ' goal was to secretly install malicious Remcos RAT software on the computers of employees of organizations with the ability to further compromise and obtain valuable data.
Remcos RAT is a sophisticated and multifunctional remote access tool that allows cybercriminals to gain full control over an infected system and use it for various cyber attacks and collecting confidential data. Distribution of Remcos often leads to theft of important information, installation of other malicious programs, and interception of user accounts.
The attack discussed in Check Point always began with a mass distribution of phishing emails on behalf of well-known financial institutions and large corporations operating in Colombia. These emails were carefully designed to create a semblance of legitimacy, and often contained urgent notifications, reports of overdue debts, or attractive offers.
Each phishing email included an attachment in the form of a seemingly harmless ZIP, RAR, or TGZ archive. The email claimed that the archive contained important documents, invoices, or other information of value to the recipient. And all this, of course, to encourage the victim to open the attachment.
In fact, these archives contained a heavily obfuscated BAT file, which triggered the execution of PowerShell commands. These commands have also been significantly complicated for analysis and detection by security tools.
After decrypting the PowerShell commands, two malicious ones were loaded into RAM .NET modules. The first one was responsible for bypassing intrusion detection and prevention systems on the target machine. It eliminated or blocked the defense mechanisms, thereby increasing the chances of the malware to remain unnoticed and act covertly.
Second.The NET module loaded the additional component "LoadPE", which is responsible for running Remcos, directly in the device's RAM, without saving files to disk. This technology made it as difficult as possible to detect malware with traditional security tools focused on monitoring and scanning files.
After successfully loading Remcos into memory, the attack was considered complete. This powerful remote access tool provides attackers with full control over the compromised system. It serves as a kind of multitool for them, giving them ample opportunities for data theft, surveillance, password collection, and other illegal actions.
Check Point researchers conducted a thorough analysis of the technical aspects of the attack. Special attention was paid to malware masking techniques and deobfuscation procedures, which revealed the true purpose of the BAT file and .NET modules.
Deciphering the hidden functionality of these elements gave an understanding of the complexity and sophistication of the attack. This, in turn, is extremely important for developing effective measures to counter such threats and protect users.
Check Point specialists separately noted that customers of their cybersecurity solutions may not be afraid of this threat, and for all other companies and private researchers, Check Point experts provided the necessary indicators of compromise (IoC).
Cybersecurity researchers at Check Point identified a large-scale phishing campaign targeting more than 40 large companies in various sectors of the economy in Colombia.
The attackers ' goal was to secretly install malicious Remcos RAT software on the computers of employees of organizations with the ability to further compromise and obtain valuable data.
Remcos RAT is a sophisticated and multifunctional remote access tool that allows cybercriminals to gain full control over an infected system and use it for various cyber attacks and collecting confidential data. Distribution of Remcos often leads to theft of important information, installation of other malicious programs, and interception of user accounts.
The attack discussed in Check Point always began with a mass distribution of phishing emails on behalf of well-known financial institutions and large corporations operating in Colombia. These emails were carefully designed to create a semblance of legitimacy, and often contained urgent notifications, reports of overdue debts, or attractive offers.
Each phishing email included an attachment in the form of a seemingly harmless ZIP, RAR, or TGZ archive. The email claimed that the archive contained important documents, invoices, or other information of value to the recipient. And all this, of course, to encourage the victim to open the attachment.
In fact, these archives contained a heavily obfuscated BAT file, which triggered the execution of PowerShell commands. These commands have also been significantly complicated for analysis and detection by security tools.
After decrypting the PowerShell commands, two malicious ones were loaded into RAM .NET modules. The first one was responsible for bypassing intrusion detection and prevention systems on the target machine. It eliminated or blocked the defense mechanisms, thereby increasing the chances of the malware to remain unnoticed and act covertly.
Second.The NET module loaded the additional component "LoadPE", which is responsible for running Remcos, directly in the device's RAM, without saving files to disk. This technology made it as difficult as possible to detect malware with traditional security tools focused on monitoring and scanning files.
After successfully loading Remcos into memory, the attack was considered complete. This powerful remote access tool provides attackers with full control over the compromised system. It serves as a kind of multitool for them, giving them ample opportunities for data theft, surveillance, password collection, and other illegal actions.
Check Point researchers conducted a thorough analysis of the technical aspects of the attack. Special attention was paid to malware masking techniques and deobfuscation procedures, which revealed the true purpose of the BAT file and .NET modules.
Deciphering the hidden functionality of these elements gave an understanding of the complexity and sophistication of the attack. This, in turn, is extremely important for developing effective measures to counter such threats and protect users.
Check Point specialists separately noted that customers of their cybersecurity solutions may not be afraid of this threat, and for all other companies and private researchers, Check Point experts provided the necessary indicators of compromise (IoC).
