216.73.216.67

Remcos RAT Malware Disguised as Major Carrier's Waybill

· Published 01/04/2025 14:47 · Modified 01/04/2025 17:27

Export JSON

Essential information

Published
01/04/2025 14:47
Modified
01/04/2025 17:27
Tags
2025-04-01 autoit email attack javascript obfuscation persistence techniques phishing remcos rat shellcode injection waybill disguise
Related entities
9 techniques (mitre), 1 malware

Description

A sophisticated malware campaign has been discovered, utilizing the disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a configuration file, an encoded Remcos binary, a legitimate loader, and a malicious script. The script employs evasion techniques, establishes persistence, decrypts the Remcos binary, and executes shellcode. The shellcode injects Remcos into a legitimate process (RegSvcs.exe) using various API calls. The , once active, can steal information and execute remote commands based on C2 instructions. The campaign demonstrates the evolving tactics of cybercriminals, emphasizing the need for caution when handling emails from unknown sources.

External references