The Malware Distribution Campaign Employs HTML Smuggling Strategies as Well as Typo-Squatting to Spread Its Software.
Last updated on April 14, 2022
Remcos is a Remote Access Software that allows you to operate computers from a distance.
Remcos, creates a backdoor on the computer, allowing the remote user complete access to the machine. This RAT can be used for a variety of reasons, including surveillance and penetration testing, and has even been employed in hacking campaigns in some situations.
The HP Wolf Security analysts discovered that a growing number of African banks are being targeted by malware distribution operations that use HTML smuggling tactics and typo-squatted names to dump remote access trojans on their computers (RATs).
In Africa, cybercriminals looking to make fast financial gains are a cause of concern for banks, as the attacks on financial institutions are becoming more sophisticated by using a variety of techniques to get beyond the security systems the banks have in place.
In early 2022, an employee of a West African bank received an email purporting to be from a recruiter from another African bank with information about job opportunities there. The domain used to send the email was typosquatted and does not belong to the legitimate mimicked organization. A WHOIS request reveals the domain was registered in December 2021 and visiting the website returned an HTTP 404 “Not found” response. To make the lure more credible, the threat actor also included a reply-to address of another supposed employee of the recruiting bank.
Searching for other typosquatted domains relating to the mimicked organization revealed two more (Appendix 1) that may be related to the same malware campaign. The second domain displayed a web page about the bank’s employment application process, which was likely copied from the legitimate website.
Beginning with a spear-phishing email sent to a bank employee on behalf of a typo-squatted domain that closely matches the URL of a real organization, generally a rival bank, the assault progresses to the use of a phishing website.
The email informs the recipient of a profitable employment opportunity and provides links to the relevant information on the company’s website. The victim is sent to a site that contains application instructions after clicking on that link.
Due to the fact that the material of this website is stolen from a genuine listing by the replicated bank, the data on this page look convincingly authentic.
Known as HTML smuggling, this practice of sneaking potentially dangerous file types past email security solutions is a well-established and popular payload delivery mechanism that has become more popular in recent years.
As BleepingComputer reports, the RAT includes a Visual Basic Script (VBS) file that, when double-clicked, causes the creation of a new Registry key and the execution of PowerShell instructions that call several Windows API methods.
It has been pointed out by HP that the only method to break the infection chain would be to change the default application for script files from Windows Script Host to Notepad, which would allow you to see what the VBS file is really for.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.