Threat Actors Using Adult Games To Launch Remcos RAT Attack

Wajahat Raja

January 31, 2024 - TuxCare expert team

In a recent cyber threat development, the notorious Remcos RAT attack has shifted its focus towards South Korean users, leveraging files shared on the Webhards platform. This unsettling trend involves hackers using a clever ruse – enticing users with cracked software and adult content – to install a malicious script that facilitates the deployment of the dangerous unauthorized remote control access trojan.

Webhards Platform: Unwitting Host of Remcos RAT

Although Webhards has been previously associated with delivering various malware such as njRAT, UDP RAT, and DDoS botnets, the AhnLab Security Emergency Response Center (ASEC) has uncovered a new twist in its modus operandi – the distribution of Remcos RAT. AhnLab’s recent Remcos RAT attack analysis sheds light on this alarming campaign targeting South Korean users.

Understanding Remcos RAT Attack

Remcos RAT, initially marketed as a legitimate remote access tool by the German firm BreakingSecurity, emerged in 2019 and gained prominence in 2020 and 2021 through Covid-themed email campaigns. Although its activity has moderated, averaging 30 samples per day in 2023, Remcos remains a potent threat.

Functionally, Remcos operates as a classic RAT, providing comprehensive remote access to the infected system. This includes access to system menus, the file system, screen recording, screenshot capture, and activity alarm setting. To distinguish target systems, Remcos collects basic information such as OS version, date, time, and rudimentary hardware details.

The Lure: Adult Content and Cracked Games

The hackers behind multifunctional malware capabilities of Remcos RAT employ a cunning strategy by exploiting popular and provocative themes. Adult content or cracked versions of trending games serve as bait to entice users into downloading an infected package. Once the user initiates the downloaded archive by running a Game.exe file, a sequence of VBS scripts is executed, leading to the download of the final payload.

Infiltration Process: Trojan Horse Program

Upon execution, the malicious scripts inject Remcos into a system process known as ServiceModelReg.exe. This seemingly harmless built-in console utility, used only during system installation, becomes an unwitting host for Remcos, allowing the trojan to establish a foothold on the compromised hosts surveillance machine.

Safeguarding Against Remcos RAT: Protective Measures

Understanding how Remcos spreads reveals crucial insights into protecting against this insidious threat. Foremost, avoiding cracked software is not only a malware risk mitigation but also a stance against copyright infringement. Particularly, caution is advised when engaging with websites known for facilitating adult games distribution methods.

Anti-Malware Software: A Proactive Shield

In addition to conscientious cyber security practices, implementing an extra layer of defense through anti-malware software is prudent. A modern and robust antivirus solution can offer protection against a spectrum of malware threats. An exemplary choice is GridinSoft Anti-Malware, known for its exceptional detection system, providing both proactive and reactive defense mechanisms.

Conclusion

The evolving threat actor tactics underscore the importance of continuous vigilance in the digital realm. Remcos RAT’s exploitation of adult games deceptive files and cracked software distribution channels serves as a stark reminder that cybersecurity is a shared responsibility. By adopting a proactive approach, staying informed about emerging threats, and employing reliable protective measures, users can fortify their defenses against evolving cyber risks.

The sources for this piece include articles in The Hacker News and SC Media.

Summary