New Campaign Uses Remcos RAT to Exploit Victims

    Monday, November 11, 2024 In: Threat Research Print

    Date: 11/11/2024

    Severity: Medium

    Summary

    A new cyber campaign has been discovered using Remcos RAT (Remote Access Trojan) to exploit victims. The malware is distributed through phishing emails or malicious attachments, allowing attackers to remotely control compromised systems. Once installed, Remcos RAT provides the attacker with full access to the victim's device, enabling them to steal sensitive information, monitor activities, and deploy additional malicious payloads. The campaign targets both individuals and organizations, and is part of a broader trend of using RATs for cyber espionage and data theft.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://og1.in/2Rxzb3

    http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta

    http://192.3.220.22/hFXELFSwRHRwqbE214.bin

    http://192.3.220.22/430/dllhost.exe

    IP Address

    107.173.4.16

    Hash

    4A670E3D4B8481CED88C74458FEC448A0FE40064AB2B1B00A289AB504015E944

F99757C98007DA241258AE12EC0FD5083F0475A993CA6309811263AAD17D4661

9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE

D4D98FDBE306D61986BED62340744554E0A288C5A804ED5C924F66885CBF3514

F9B744D0223EFE3C01C94D526881A95523C2F5E457F03774DD1D661944E60852

24A4EBF1DE71F332F38DE69BAF2DA3019A87D45129411AD4F7D3EA48F506119D

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://og1.in/2Rxzb3" or url like "https://og1.in/2Rxzb3" or userdomainname like "http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta" or url like "http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta" or userdomainname like "http://192.3.220.22/hFXELFSwRHRwqbE214.bin" or url like "http://192.3.220.22/hFXELFSwRHRwqbE214.bin" or userdomainname like "http://192.3.220.22/430/dllhost.exe" or url like "http://192.3.220.22/430/dllhost.exe"

    Detection Query 2

    dstipaddress IN ("107.173.4.16") or ipaddress IN ("107.173.4.16") or publicipaddress IN ("107.173.4.16") or srcipaddress IN ("107.173.4.16")

    Detection Query 3

    sha256hash IN ("4A670E3D4B8481CED88C74458FEC448A0FE40064AB2B1B00A289AB504015E944","24A4EBF1DE71F332F38DE69BAF2DA3019A87D45129411AD4F7D3EA48F506119D","F9B744D0223EFE3C01C94D526881A95523C2F5E457F03774DD1D661944E60852","9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE","F99757C98007DA241258AE12EC0FD5083F0475A993CA6309811263AAD17D4661","D4D98FDBE306D61986BED62340744554E0A288C5A804ED5C924F66885CBF3514")

    Reference: 

    https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims


    Tags

    MalwareRATPhishingExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.