Heimdal
article featured image

Contents:

Remcos is a Remote Access Software that allows you to operate computers from a distance.
Remcos, creates a backdoor on the computer, allowing the remote user complete access to the machine. This RAT can be used for a variety of reasons, including surveillance and penetration testing, and has even been employed in hacking campaigns in some situations.

What Happened?

The HP Wolf Security analysts discovered that a growing number of African banks are being targeted by malware distribution operations that use HTML smuggling tactics and typo-squatted names to dump remote access trojans on their computers (RATs).

In Africa, cybercriminals looking to make fast financial gains are a cause of concern for banks, as the attacks on financial institutions are becoming more sophisticated by using a variety of techniques to get beyond the security systems the banks have in place.

In early 2022, an employee of a West African bank received an email purporting to be from a recruiter from another African bank with information about job opportunities there. The domain used to send the email was typosquatted and does not belong to the legitimate mimicked organization. A WHOIS request reveals the domain was registered in December 2021 and visiting the website returned an HTTP 404 “Not found” response. To make the lure more credible, the threat actor also included a reply-to address of another supposed employee of the recruiting bank.

Searching for other typosquatted domains relating to the mimicked organization revealed two more (Appendix 1) that may be related to the same malware campaign. The second domain displayed a web page about the bank’s employment application process, which was likely copied from the legitimate website.

Source

Beginning with a spear-phishing email sent to a bank employee on behalf of a typo-squatted domain that closely matches the URL of a real organization, generally a rival bank, the assault progresses to the use of a phishing website.

The email informs the recipient of a profitable employment opportunity and provides links to the relevant information on the company’s website. The victim is sent to a site that contains application instructions after clicking on that link.

Due to the fact that the material of this website is stolen from a genuine listing by the replicated bank, the data on this page look convincingly authentic.

The payload is sent in the form of an HTML attachment to the aforementioned email message, and it is a base64-encoded ISO archive file that is decoded on the fly and made available for download through a JavaScript blob in the browser to the recipient.

Known as HTML smuggling, this practice of sneaking potentially dangerous file types past email security solutions is a well-established and popular payload delivery mechanism that has become more popular in recent years.

As BleepingComputer reports, the RAT includes a Visual Basic Script (VBS) file that, when double-clicked, causes the creation of a new Registry key and the execution of PowerShell instructions that call several Windows API methods.

It has been pointed out by HP that the only method to break the infection chain would be to change the default application for script files from Windows Script Host to Notepad, which would allow you to see what the VBS file is really for.

If you enjoyed this article follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE