In the late summer of 2020, the Bitdefender Active Threat Control team noticed a surge of Remcos malware, with most of the attacks taking place in Colombia. While the malware family has been known for quite a while to cyber-criminals and malware researchers alike, this new campaign captured our attention as it arrived on the victims’ computers via phishing e-mails related to financial services and COVID-19 information.
Malicious use of Remcos dates back to 2017, as this Remote Access Trojan has been largely used by both commercial and advanced threat actors (such as Gorgon or APT33). Unlike previous campaigns, the attack in Colombia leverages several interesting tactics:
- it uses the Coronavirus pandemic to lure victims into opening the spam message and running the initial malware;
- it uses additional payloads hard-coded in images through steganography. The images laced with malware are posted on a popular viral images website to evade blacklists;
- comes with several anti-reverse-engineering tricks to keep antimalware labs busy.
By nature, Remote Access Trojans are major security threats as they allow attackers to gain complete control of the victim’s device and data, including access to sensors such as the webcam or microphone.
User credentials or data stored on the system may land in the wrong hands and used further to gain access to other accounts or to blackmail the victim.