Remcos Trojan: Analyzing the Attack Chain

Morphisec Labs has detected a new wave of Remcos trojan infection. The theme of the phishing emails is again financial, this time as payment remittances sent from financial institutions. The attacker lures a user to open a malicious Excel file that contains “confidential information” which starts the infection chain.

Morphisec’s analysis has identified several services used for these phishing campaigns. They include Wells Fargo, FIS Global, and ACH Payment notifications. For example:

Figure 1: Email from Wells Fargo’s CEO with a malicious attachment

This infection contains many stages and largely depends on the C2 server, which stores the required files for each stage.

Figure 2: All stages stored in the C2.

The attacker also uses a password-protected .xls file to lower the detection rate. The password is in the phishing email, and as we can see—password protection helps:

Figure 3: The malicious attachment and first stage detection rate

In this blog post, we analyze the full attack chain used by the attacker and explain how each step works.

What is the Remcos Trojan?

Remcos is a commercial remote access trojan (RAT) developed by BreakingSecurity. Remcos has many capabilities, and a free version downloadable directly from BreakingSecurity’s website.

Read More: