African Banks Face Constant RemcosRAT Malware Campaigns

Hacker taps away on a laptop in a dark room.

Cybersecurity researchers have found a new malware distribution campaign against banks in Africa. The campaign uses phishing emails and fake websites to lure bank employees into downloading a Remote Access Trojan (RAT) called RemcosRAT. Once the victim downloads the Trojan, cybercriminals can gain access to data on bank systems.

Attackers Lure Victims with Fake Job Offers

According to Bleeping Computer, African Banks constantly deal with attacks from cyber bandits looking to make a quick buck. This led to the banks stepping up their cyber defenses, and deploying strict gateway security systems. In response, cybercriminals have turned to more sophisticated campaigns to carry out their nefarious activities.

Researchers at HP Wolf Security discovered the RemcosRAT campaign in early 2022. The attacker targeted a Western African bank employee using HTML smuggling, which allows malicious email attachments to fly under the network security radar. The employee received an email from a competitor bank containing information on employment opportunities.

On closer examination, one can see that it is a phishing email coming from a typo-squatted domain impersonating the rival bank. Researchers said that the attackers go to great lengths to make the email appear convincing.

RemcosRAT Malware Drop

The email contains links to a spoofed website with information about the supposed job. While the website itself does not contain any malicious files, its purpose is to deceive the victim and lead them to download the malware, which is actually hidden as an HTML attachment in the email.

Malicious files usually get blocked at email gateways. Here, the attackers use an increasingly popular technique called HTML smuggling to sneak the files by email defenses. The cybercriminals encode the malicious files in an HTML file, which are later decoded and reconstructed using Javascript blobs.

HP Wolf Security team had this to say about the technique:

“When the user opens the HTML attachment using a web browser, they are prompted to download the file, which is already stored on the local system. This way HTML smuggling bypasses security controls that block malicious website traffic, such as web proxies. The technique is dangerous because HTML email attachments are not typically blocked at gateways and detecting the encoded malware can be challenging. Using this technique, dangerous file types can be smuggled into an organization and lead to malware infection.”

RemcosRAT has Wide-ranging Capabilities

Bleeping Computer points out that previous campaigns dating back to 2018 used RemcosRAT malware. This gives us insights into its malicious capabilities. RemcosRAT supports remote command execution, which allows the attacker to perform functions remotely. This would include the ability to capture screenshots, log keystrokes, and remotely control the victim’s webcam and microphone.

The attackers could use this to record transaction details and steal priority login credentials. They could also move laterally within the bank’s network, or carry out Business Email Compromise (BEC) attacks. Furthermore, any stolen data can be used for financial extortion.

If this story caught your interest, we recommend checking out our article on Trojan malware.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.