Remcos RAT campaign targets US accounting and tax return preparation firms

Microsoft warns of a new Remcos RAT campaign targeting US accounting and tax return preparation firms ahead of Tax Day.

Ahead of the U.S. Tax Day, Microsoft has observed a new Remcos RAT campaign targeting US accounting and tax return preparation firms. The phishing attacks began in February 2023, the IT giant reported.

Remcos is a legitimate remote monitoring and surveillance software developed by the company BreakingSecurity.

In 2021, CISA added Remcos to the list of top malware strains due to its use in mass phishing attacks using COVID-19 pandemic themes targeting businesses and individuals.

The recent campaign exclusively aims at organizations that deal with tax preparation, financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax.

Crooks use lures masquerading as tax documentation sent by a client. The message contains a link that points to a legitimate file hosting site where the cybercriminals have uploaded Windows shortcut (.LNK) files.

Upon clicking on the file, a malicious file is fetched from a domain under the control of the attacker which leads to the installation of the Remcos RAT.

“What we have observed is that the link in the phishing email points to Amazon Web Services click tracking service at awstrack[.]me. The initial link then redirects the target to a ZIP file hosted on legitimate file-sharing service spaces[.]hightail[.]com. The ZIP file contains LNK files that act as Windows shortcuts to other files.” reads the report published by Microsoft. “The LNK files make web requests to actor-controlled domains and IP addresses to download additional malicious files such as MSI files containing DLLs or executables, VBScript files containing PowerShell commands, or deceptive PDFs.”

The attack chain employs MSI files and VBScript files containing PowerShell commands. In some cases, the attackers used the GuLoader downloader to drop the Remcos RAT on the target’s systems.

“Successful delivery of a Remcos payload could provide an attacker the opportunity to take control of the target device to steal information and/or move laterally through the target network.” concludes the report which also includes mitigations to reduce the impact of this threat.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

The Teacher – Most Educational Blog
The Entertainer – Most Entertaining Blog
The Tech Whizz – Best Technical Blog
Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Remcos RAT)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.