Researchers have discovered a new Remcos RAT campaign that uses an AutoIt wrapper to deliver a previously unknown variant featuring new obfuscation and anti-debugging techniques.
Trend Micro uncovered the threat last July after encountering a phishing email that was disguised as an order notification, but actually contained an attachment that delivered the RAT.
“The email includes the malicious attachment using the ACE compressed file format, Purchase order201900512.ace, which has the loader/wrapper Boom.exe,” wrote blog author and Trend Micro malware researcher Aliakbar Zahravi, noting that the executable’s chief purpose is to “achieve persistence, perform anti-analysis detection, and drop/execute Remcos RAT on an affected system.”
“After converting the executable to AutoIt script, we found that the malicious code was obfuscated with multiple layers, possibly to evade detection and make it difficult for researchers to reverse,” the blog post continued. Zahravi further noted that the AutoIt loader can detect virtual machine environments and debugger programs, and that the malware bypasses User Account Control using one of two tools, depending on the victim’s version of Windows.
The main payload itself acts similarly to past Remcos versions, which exist as far back as 2016. The malware can collect and exfiltrate system information such as username, computer version and Windows version, and it supports various C2 commands, including managing clipboard data, deleting files, executing remote scripts, downloading files, keylogging, displaying message boxes, opening websites, manipulating registry values and keys, capturing screen images, and more.