Remcos RAT

SentinelOne security experts have reported a new phishing attack targeting Eastern European companies and institutions, the goal is the distribution of Remcos RAT via DBatLoader, going around the User Account Control (UAC) of Windows.

Remcos RAT

The email attack appears to come from a trusted sender. Attached is a tar.lz file which should contain a financial document, but actually inside the archive there are DBatLoader executables, disguised as Microsoft Office, LibreOffice and PDF documents.

Going to run the loader, a second payload is taken from Microsoft OneDrive or Google Drive and the fake directory C:\Windows \System32 is created in which three files are copied: easinvoker.exe (which is the legitimate one), netutils.dll ( which is infected) and KDECO.bat (also infected).

The malware runs easinvoker.exe which loads netutils.dll (hijacking DLL) which runs KDECO.bat. Considering the fact that the files are located in a directory similar to the original, Windows does not show the User Account Control (UAC) warning and the batch script manages to install Remcos RAT and adds a registry key for the automatic start.

To avoid running into computer security problems of this type, it is always a good idea to install good antivirus software on your computer.