The Stealthy Stalker: Remcos RAT

    Date: 12/12/2024

    Severity: Medium

    Summary

    "The Stealthy Stalker: Remcos RAT" highlights the rising threat of the Remcos Remote Access Trojan (RAT), identified by McAfee Labs in Q3 2024. This malware, commonly delivered via phishing emails and malicious attachments, allows cybercriminals to remotely control infected systems. Remcos RAT is increasingly used for espionage, data theft, and system manipulation, making it a significant concern in cybersecurity. As cyberattacks evolve in sophistication, understanding how Remcos RAT operates and implementing robust security measures is vital to safeguarding sensitive data and systems from this growing threat. The blog offers a technical analysis of two key Remcos RAT variants.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://dealc.me/NLizza

    http://91.134.96.177/70/picturewithmegetbacktouse.tIF

    https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

    http://91.134.96.177/70/RGGFVC.txt

    Hash

    d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2
    
    085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6
    
    69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f
    
    c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a
    
    c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5
    
    12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a
    
    997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://91.134.96.177/70/RGGFVC.txt" or url like "http://91.134.96.177/70/RGGFVC.txt" or userdomainname like "https://dealc.me/NLizza" or url like "https://dealc.me/NLizza" or userdomainname like "http://91.134.96.177/70/picturewithmegetbacktouse.tIF" or url like "http://91.134.96.177/70/picturewithmegetbacktouse.tIF" or userdomainname like "https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt" or url like "https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt"

    Detection Query 2

    sha256hash IN ("c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a","c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5","d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2","997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2","12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a","69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f","085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6")

    Reference: 

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-remcos-rat/       


    Tags

    MalwareRATPhishingData Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags