AhnLab Security Emergency response Center (ASEC) has discovered circumstances of the Remcos remote control malware being distributed through an email disguised as a payslip.
As shown in Figure 1, the identified Remcos RAT was distributed under an email subject that read ‘This is a confirmation document for your payment transfer’, deceiving the readers. The attached compressed cab file contains an EXE file (Remcos RAT) disguised with a PDF file icon as shown in Figure 2.
As shown in Figure 3, Remcos RAT can not only perform keylogging, screenshot capturing, and controlling webcams and microphones according to the threat actor’s commands, but also enable malicious remote control such as extracting the histories and passwords saved to web browsers within the system it is installed in. 
As Remcos RAT is designed for remote control, it does not exhibit any malicious behaviors until commands are received from the threat actor’s server (C2). However, due to the behaviors of the offline keylogger which runs immediately after infection without any command from the C2, it can be detected with sandbox devices.
Figure 4 shows the Remcos RAT’s offline keylogger feature’s functions that run without any command from the C2. Specifically, it uses the SetWindowHookExA API and installs a hook procedure that monitors keyboard input events through the WH_KEYBOARD_LL argument, as shown in Figure 5.
[Detection by MDS]
Figure 6 is the screen that shows the detection of the aforementioned Remcos RAT’s offline keylogger feature in AhnLab MDS sandbox environment. Figure 7 shows that the malicious behavior of hooking keyboard input has been detected.
RAT malware performs key malicious behaviors through the commands of the threat actor. Thus, it is characteristically difficult to be aware of said infections until the threat actor’s commands are run through communications with the server. To prevent security incidents and enable quick response upon breach, security administrators must not only use APT solutions such as MDS but also monitor abnormal behaviors occurring in endpoint environments with products such as EDR.
– 1e378b5dc586175e1b5e5931b8727ae3 (Remcos RAT v3.8.0 Pro)
– Trojan/Win.Generic.R611702 (2023.10.14.00)
AhnLab MDS detects and responds to unknown threats by performing sandbox-based dynamic analysis. For more information about the product, please visit AhnLab Global (https://global.ahnlab.com).