Date: 12/12/2024
Severity: Medium
Summary
"The Stealthy Stalker: Remcos RAT" highlights the rising threat of the Remcos Remote Access Trojan (RAT), identified by McAfee Labs in Q3 2024. This malware, commonly delivered via phishing emails and malicious attachments, allows cybercriminals to remotely control infected systems. Remcos RAT is increasingly used for espionage, data theft, and system manipulation, making it a significant concern in cybersecurity. As cyberattacks evolve in sophistication, understanding how Remcos RAT operates and implementing robust security measures is vital to safeguarding sensitive data and systems from this growing threat. The blog offers a technical analysis of two key Remcos RAT variants.
Indicators of Compromise (IOC) List
URL/Domain | https://dealc.me/NLizza http://91.134.96.177/70/picturewithmegetbacktouse.tIF https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt http://91.134.96.177/70/RGGFVC.txt |
Hash | d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2
085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6
69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f
c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a
c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5
12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a
997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "http://91.134.96.177/70/RGGFVC.txt" or url like "http://91.134.96.177/70/RGGFVC.txt" or userdomainname like "https://dealc.me/NLizza" or url like "https://dealc.me/NLizza" or userdomainname like "http://91.134.96.177/70/picturewithmegetbacktouse.tIF" or url like "http://91.134.96.177/70/picturewithmegetbacktouse.tIF" or userdomainname like "https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt" or url like "https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt" |
Detection Query 2 | sha256hash IN ("c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a","c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5","d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2","997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2","12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a","69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f","085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6") |
Reference:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-remcos-rat/