Phishing alert: This fake email about a bank payment delivers trojan malware

Researchers detail new attacks using a new version of keylogging and information-stealing Remcos malware.
Written by Danny Palmer, Senior Writer

A highly customisable form of trojan malware has returned and is being distributed via phishing emails claiming that a payment is being made to a bank account.

The Remcos remote access trojan first emerged on underground forums in 2016 and has received a number of updates over the course of the last few years.

Available to crooks for as little as $58, the malware is an information stealer and surveillance tool, using capabilities including keylogging, taking screenshots, and stealing clipboard contents to secretly take usernames and passwords from infected victims.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Now researchers at Fortinet have uncovered a new Remcos campaign – with the new variant titled "2.5.0 Pro", according to hard-coded strings in the malicious code that was compiled in September – indicating the freshness of this variant.

These attacks begin with an attempt to trick the victim into opening a malicious ZIP file under the pretence of payments being made into a bank account. The phishing email users spoofing to make it look as if it comes from a valid domain.

The .ZIP file is a gateway to a .TXT extension, which runs a PowerShell script when activated, executing the installation of the malware onto the victim's Windows machine.

As part of the process, the dropped .EXE file will sleep for 20 seconds in an effort to avoid being discovered before installing itself into a new Windows folder.

Remcos also adds itself to the auto-start group in the system registry to help maintain persistence on the infected victim by automatically starting when the machine is turned on.

When the malware is running, it records all information entered in the web browser, providing information on what websites the user is visiting and what they enter into the site – enabling the attacker to see and steal usernames and passwords.

SEE: This huge Android trojan malware campaign was discovered after the gang behind it made basic security mistakes

Not only does this immediately compromise the victim by allowing the attacker access to accounts, the information could be exploited in further attacks or even sold on dark web forums.

Researchers have detailed the full capabilities of the new version of Remcos, along with its Indicators of Compromise, in their analysis of the malware.


Editorial standards