Schools and small businesses have had their email accounts breached to spread phishing emails delivering the Remcos RAT malware in attack campaigns since last year, Hackread reports.
Malicious actors have been leveraging the hijacked email accounts to distribute emails with archive-spoofing LNK files, which stealthily install Remcos RAT and establish concealed folders on the targeted system upon opening, findings from Forcepoint's X-Labs researchers showed. Remcos RAT evades detection not only by exploiting path-parsing bypass methods that allow mimicry of real system directories but also through the creation of scheduled tasks and the alteration of Windows' User Account Control, according to the report. Aside from its clandestine operations, which have been further solidified by obscured PowerShell code within LNK files, Remcos RAT also enables total device compromise, including password theft, user activity tracking, and screenshot capturing. Such a threat should prompt increased vigilance on atypical file paths and shortcuts, as well as folder name changes, researchers said.
Malicious actors have been leveraging the hijacked email accounts to distribute emails with archive-spoofing LNK files, which stealthily install Remcos RAT and establish concealed folders on the targeted system upon opening, findings from Forcepoint's X-Labs researchers showed. Remcos RAT evades detection not only by exploiting path-parsing bypass methods that allow mimicry of real system directories but also through the creation of scheduled tasks and the alteration of Windows' User Account Control, according to the report. Aside from its clandestine operations, which have been further solidified by obscured PowerShell code within LNK files, Remcos RAT also enables total device compromise, including password theft, user activity tracking, and screenshot capturing. Such a threat should prompt increased vigilance on atypical file paths and shortcuts, as well as folder name changes, researchers said.
