Tuesday, April 16, 2024

Hackers using Weaponized PDF Files to Deliver Remcos RAT


Cybercriminals have launched a sophisticated campaign targeting individuals and organizations across Latin America, utilizing weaponized PDF files to deploy dangerous Remote Access Trojans (RATs) such as Remcos.

This alarming development has raised concerns about cybersecurity preparedness in the region.

Attack Method

The attackers initiate the infection by impersonating Colombian government agencies and sending out PDF documents that falsely accuse recipients of traffic violations or other legal issues.

These documents contain links that, when clicked, prompt the download of a ZIP file.

This file includes a Visual Basic Script (VBS) obfuscated with dead code to evade detection.

The campaign cleverly masquerades as official communication from entities like the COLOMBIANA DE MUNICIPIOS, leveraging the trust in government institutions to deceive victims.

The attackers’ choice of lures indicates a calculated approach to target individuals and potentially organizations that interact with or are part of the Colombian government infrastructure.

Upon execution, the VBS script triggers a PowerShell script that performs two critical actions:

It first retrieves the payload’s address from a legitimate storage service, such as textbin.net, and then downloads it.

It executes the payload from the provided address.

This could include various legitimate services like cdn.discordapp.com, pasteio.com, hidrive.ionos.com, and wtools.io.

According to a recent tweet by ANY.RUN, there’s an ongoing cyber attack campaign in Latin America.

The attackers employ a technique where they coerce users into initiating malware infections.

An ongoing campaign targeting #LATAM: Attackers are forcing users to initiate infections

The #attackers impersonate Colombian government agencies (e.g., COLOMBIANA DE MUNICIPIOS) by sending PDFs, accusing the recipients of traffic violations or other legal issues.

These… pic.twitter.com/t0RcNtJuH3

— ANY.RUN (@anyrun_app) March 14, 2024

RATs Used

This intricate execution chain delivers a RAT as the final payload, and the attackers employ several notorious RATs, including AsyncRAT, NjRAT, and Remcos.

These RATs grant cybercriminals remote control over infected systems, allowing them to steal sensitive information, monitor user actions, and potentially deploy further malware.

The image above illustrates the execution chain of the ongoing LATAM-targeted campaign, showcasing the step-by-step process from the initial PDF lure to the execution of the RAT.

Cybersecurity experts warn that while this campaign focuses on Latin America, similar tactics could be employed against targets in other regions.

Organizations and individuals must remain vigilant, educate themselves on these threats, and employ robust security measures to protect against such sophisticated attacks.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Hackers using Weaponized PDF Files to Deliver Remcos RAT appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News