Cybersecurity researchers have found a new malware distribution campaign against banks in Africa. The campaign uses phishing emails and fake websites to lure bank employees into downloading a Remote Access Trojan (RAT) called RemcosRAT. Once the victim downloads the Trojan, cybercriminals can gain access to data on bank systems.
Attackers Lure Victims with Fake Job Offers
According to Bleeping Computer, African Banks constantly deal with attacks from cyber bandits looking to make a quick buck. This led to the banks stepping up their cyber defenses, and deploying strict gateway security systems. In response, cybercriminals have turned to more sophisticated campaigns to carry out their nefarious activities.
Researchers at HP Wolf Security discovered the RemcosRAT campaign in early 2022. The attacker targeted a Western African bank employee using HTML smuggling, which allows malicious email attachments to fly under the network security radar. The employee received an email from a competitor bank containing information on employment opportunities.
On closer examination, one can see that it is a phishing email coming from a typo-squatted domain impersonating the rival bank. Researchers said that the attackers go to great lengths to make the email appear convincing.
RemcosRAT Malware Drop
The email contains links to a spoofed website with information about the supposed job. While the website itself does not contain any malicious files, its purpose is to deceive the victim and lead them to download the malware, which is actually hidden as an HTML attachment in the email.
HP Wolf Security team had this to say about the technique:
“When the user opens the HTML attachment using a web browser, they are prompted to download the file, which is already stored on the local system. This way HTML smuggling bypasses security controls that block malicious website traffic, such as web proxies. The technique is dangerous because HTML email attachments are not typically blocked at gateways and detecting the encoded malware can be challenging. Using this technique, dangerous file types can be smuggled into an organization and lead to malware infection.”
RemcosRAT has Wide-ranging Capabilities
Bleeping Computer points out that previous campaigns dating back to 2018 used RemcosRAT malware. This gives us insights into its malicious capabilities. RemcosRAT supports remote command execution, which allows the attacker to perform functions remotely. This would include the ability to capture screenshots, log keystrokes, and remotely control the victim’s webcam and microphone.
The attackers could use this to record transaction details and steal priority login credentials. They could also move laterally within the bank’s network, or carry out Business Email Compromise (BEC) attacks. Furthermore, any stolen data can be used for financial extortion.
If this story caught your interest, we recommend checking out our article on Trojan malware.