COVID-19 , Cybercrime , Fraud Management & Cybercrime

Malspam Campaigns Attempt to Install Remote Access Trojans

Microsoft: Emails With COVID-19 Themes Targeting US, South Korea
Malspam Campaigns Attempt to Install Remote Access Trojans

Several malicious spam campaigns using COVID-19 as a lure are attempting to install the Remcos remote access Trojan on victims' devices, according to the Microsoft Security Intelligence unit.

See Also: Bank on Seeing More Targeted Attacks on Financial Services

It's not clear if all these malspam campaigns, which are targeting organizations in the U.S. and South Korea, are related. But Microsoft researchers found that all the attacks attempt to install Remcos on victims' devices. This remote access Trojan, or RAT, can give attackers full control over an infected device and enable them to run keyloggers as well as capture screenshots and audio recordings.

Over the past several years, Remcos has sometimes been associated with threat groups attempting business email compromise schemes (see: Nigerian BEC Scammers Use Malware to Up the Ante).

Recent Spam Campaign

Microsoft found that the malspam campaigns mostly started appearing in April, although at least one malicious email is dated from February, which is about the time that many security researchers began finding phishing emails and malicious domains using the spread of COVID-19 as a lure (see: Phishing Campaigns Tied to Coronavirus Persist).

Tanmay Ganacharya, director for security research of Microsoft Threat Protection, told ZDNet it's not clear if the various campaigns were designed to spread other malware, such as ransomware, start a BEC scheme or conduct cyber espionage.

Various Targets

The spam emails usually contain attached disk image files, either ISO or IMG files, that attempt to infect a device with the Remcos RAT if opened, Microsoft says.

In a series of tweets, the Microsoft Security Intelligence describes three of these spam campaigns.

In the first, the attackers sent messages that appeared to come from the U.S. Small Business Administration and were delivered to small businesses that are in need of federal loans due to the COVID-19 pandemic, according to Microsoft. These messages contained a malicious IMG file attachment that also displayed a misleading PDF icon. The attachment contained executables that attempted to install the Remcos RAT.

The second campaign was designed to appear to originate with the U.S. Centers for Disease Control and Prevention's Health Alert Network. The attackers used these spam emails to target manufacturing facilities in South Korea, according to Microsoft. The spoofed CDC emails contained a malicious ISO file attachment, which contained another file that attempted to install Remcos if opened, Microsoft notes.

Spam message that appears to originate with the CDC (Source: Microsoft)

A third campaign targeted accounting firms in the U.S. with spam emails that appeared to originate with the American Institute of CPAs. These messages also contained attached ISO files that, if opened, attempted to install the Remcos RAT.

In the past month, the SBA and its loan programs for small businesses affected by COVID-19 have been spoofed by other fraudsters looking to send out phishing emails or lead victims to misleading domains (see: Latest Phishing Campaigns Spoof Federal Reserve, SBA).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.