Researchers have discovered a new Remcos RAT campaign that uses an AutoIt wrapper to deliver a previously unknown variant featuring new obfuscation and anti-debugging techniques.
Trend Micro uncovered the threat last July after encountering a phishing email that was disguised as an order notification, but actually contained an attachment that delivered the RAT.
“The email includes the malicious attachment using the ACE compressed file format,
Purchase order201900512.ace, which has the loader/wrapper
Boom.exe,” wrote blog author and Trend Micro malware researcher Aliakbar Zahravi, noting that the executable’s chief purpose is to “achieve persistence, perform anti-analysis detection, and drop/execute Remcos RAT on an affected system.”
“After converting the executable to AutoIt script, we found that the malicious code was obfuscated with multiple layers, possibly to evade detection and make it difficult for researchers to reverse,” the blog post continued. Zahravi further noted that the AutoIt loader can detect virtual machine environments and debugger programs, and that the malware bypasses User Account Control using one of two tools, depending on the victim’s version of Windows.
