Detections of the Remcos remote access trojan (RAT) have increased recently with threat actors adopting new tactics to deliver this popular commercially available malware. The Remcos RAT is offered under the malware-as-a-service model, where purchasers can use the malware to remotely control infected devices and steal sensitive data.
The Remcos RAT is primarily delivered via phishing emails with malicious attachments, with each of the two main variants delivered using distinct methods. One of the variants is distributed in phishing emails using Microsoft Office open XML attachments that exploit a Microsoft Office memory corruption remote code execution vulnerability (CVE-2027-11882) to execute an embedded script that downloads an intermediate payload that will in turn deliver the Remcos RAT. The vulnerability does not affect newer Office versions, such as Microsoft 365, only older versions prior to Office 2016.
Lures commonly used include fake purchase orders, where the email claims to include purchasing specifications in the attached Excel file. If opened, the spreadsheet is blurred and the user is told the document is protected, and to enable editing to view the file. In the background, the vulnerability is exploited to deliver and execute an HTA file, triggering the processes that lead to the installation of the Remcos RAT. When delivered, the Remocos RAT is injected into a legitimate Windows executable (RegAsm.exe).
The second variant uses a VBS attachment with an obfuscated PowerShell script to download files from a remote server and inject code into RegAsm.exe. Since the final payload is injected into legitimate Windows processes, the malware is often not detected by security solutions. Once installed, persistence is maintained via registry modifications to ensure the malware remains active after a reboot. Lures used to deliver this variant include payment confirmations, with details included in the attached DOCX file.
The highest number of infections have occurred in the United States and India, and there has been a sharp rise in infections in recent months showing that the campaigns are proving effective. A combination of technical measures and security awareness training will help to prevent Remcos RAT infections. Phishing campaigns such as this show why it is important to stay on top of patching and ensure that all systems are kept up to date, and to migrate from software that has reached end-of-life to supported software versions. Endpoint security software is important; however, detection of the Remcos RAT can be difficult since files are not written to the hard drive.
The primary defense is an advanced email security solution. SpamTitan, TitanHQ’s spam filtering service, is an ideal choice as it includes reputation checks, SPF, DKIM, & DMARC, machine-learning algorithms to identify anomalies in emails, and email sandboxing, where attachments are sent for extensive analysis including pattern filtering. In recent tests by VirusBulletin, the engine that powers SpamTitan scored highest out of all 11 tested email security solutions, with a 100% malware and phishing catch rate.
It is important to keep the workforce up to date on the latest security threats and to teach and reinforce security best practices. The SafeTitan security awareness training platform makes this easy for businesses and MSPs, allowing effective security awareness training programs to be created that are tailored to individuals and user roles. The training can be automated to be delivered regularly to employees, as can phishing simulations using the SafeTitan phishing simulator to test the effectiveness of training. Businesses with Microsoft 365 would benefit from the PhishTitan platform. Based on the same engine that powers SpamTitan, PhishTitan helps to protect Microsoft 365 environments from the advanced threats that Microsoft fails to block, add banners to emails from external sources and helps security teams rapidly mitigate phishing threats.