Threat Management, Malware

Remcos RAT campaign delivers new variant using AutoIt wrapper

Researchers have discovered a new Remcos RAT campaign that uses an AutoIt wrapper to deliver a previously unknown variant featuring new obfuscation and anti-debugging techniques.

Trend Micro uncovered the threat last July after encountering a phishing email that was disguised as an order notification, but actually contained an attachment that delivered the RAT.

"The email includes the malicious attachment using the ACE compressed file format, Purchase order201900512.ace, which has the loader/wrapper Boom.exe," wrote blog author and Trend Micro malware researcher Aliakbar Zahravi, noting that the executable's chief purpose is to "achieve persistence, perform anti-analysis detection, and drop/execute Remcos RAT on an affected system."

"After converting the executable to AutoIt script, we found that the malicious code was obfuscated with multiple layers, possibly to evade detection and make it difficult for researchers to reverse," the blog post continued. Zahravi further noted that the AutoIt loader can detect virtual machine environments and debugger programs, and that the malware bypasses User Account Control using one of two tools, depending on the victim's version of Windows.

The main payload itself acts similarly to past Remcos versions, which exist as far back as 2016. The malware can collect and exfiltrate system information such as username, computer version and Windows version, and it supports various C2 commands, including managing clipboard data, deleting files, executing remote scripts, downloading files, keylogging, displaying message boxes, opening websites, manipulating registry values and keys, capturing screen images, and more.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.