Microsoft Alerts of Spam Campaigns Spreading the Remcos RAT

In early May 2020 Microsoft warned of a number of malicious spam campaigns that were spreading the Remcos remote access trojan (RAT). Remcos allows virtually unlimited access and control over the infected machine once it has been deployed. The discovery was reportedly made by the company’s machine learning detection algorithms.

Malicious Disk Images Used by Bad Actors

The spam campaigns were once again built around e-mails with topics related to the ongoing COVID-19 pandemic. The targeted entities were businesses from various industries located all over the world. The malicious attachment used in the campaigns was a disk image that was either an .iso or an .img file. While this is not the most common way to package malware, Microsoft pointed out that it's not unique and has been used before.

Payload Poses as a PDF Document

One example of a malicious bait spam email published by Microsoft promises US victims disaster grants and loans for struggling businesses. Contained in the disk image file is the payload – the Remcos RAT. Once the image is loaded up in Windows and the contents of the disk are examined, the victim sees a fake PDF file that is really an executable with a swapped icon. Opening the fake document deploys the payload and Remcos is installed.

Another campaign targeted South Korean businesses, using a fake alert from the Center for Disease Control. This time, the disk image contains a .scr file posing as a PDF document that is really the payload.

A third campaign detected by Microsoft was targeting US accountants. This time the bait were fake updated related to the COVID-19 virus, specifically targeted to members of the American Institute of Certified Public Accountants. The malicious attachment in this campaign was a zip file, containing the .iso disk image with the malicious .scr file inside.

Microsoft believes that the campaigns are purposefully conducted with a relatively small scope in an effort to fly under the radar. There is also the fear that the bad actors behind those spam campaigns are testing the terrain and gearing up for more serious future attacks in places where the Remcos infection went through, possibly deploying ransomware at a later point in time.