Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials

[Parkinsond]

Content source

https://cybersecuritynews.com/remcos-rat-masquerade-as-veracrypt-installers/

A sophisticated malware campaign targeting South Korean users has emerged, distributing the Remcos remote access trojan (RAT) through deceptive installers disguised as legitimate VeraCrypt encryption software.

This ongoing attack campaign primarily focuses on individuals connected to illegal online gambling platforms, delivering malware through web browsers and messaging platforms like Telegram.

Once executed, the fake installers deploy malicious VBS scripts hidden within their resource sections.
These scripts are written to the system’s temporary directory.

The malware then initiates a complex infection chain involving multiple stages of obfuscated VBS and PowerShell scripts, ultimately delivering the Remcos RAT payload.

Remcos RAT is equipped with extensive data theft capabilities including keylogging, screenshot capture, webcam and microphone control, and credential extraction from web browsers.

Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials

Fake VeraCrypt installers are spreading Remcos RAT in South Korea, mainly targeting online gamblers but also risking normal users.

cybersecuritynews.com

 

[Divergent]

Infection Chain (8 Stages)

Initial Execution
The fake installer executes and drops malicious VBS scripts from its resource section into the system's temporary directory using randomized filenames.

Scripted Downloader
The malware progresses through five stages of obfuscated VBS and PowerShell scripts.

Obfuscation Techniques
Scripts contain dummy comments, junk data, and files masquerading as JPG images that actually contain Base64-encoded malicious payloads.

Injector Deployment
The chain culminates in a .NET-based injector.

C2 Communication
The injector communicates with attackers via Discord webhooks to receive further instructions or payloads.

Payload & Persistence

Final Payload
Remcos RAT is downloaded, decrypted, and executed.

Process Injection
To maintain persistence and evade detection, the RAT injects itself directly into the legitimate AddInProcess32.exe process.

Capabilities
Once active, the malware performs keylogging, screenshot capture, webcam/microphone recording, and extraction of login credentials from web browsers.

Targeting Indicators
Analysis reveals Korean-language strings in configuration settings and registry keys, confirming the geographic focus of this specific campaign.

Indicator of Compromise (Filenames)

*****usercon.exe

blackusernon.exe

Any VBS/PowerShell script running from %TEMP% with randomized names.

Recommendations

Verify Software Sources
Only download VeraCrypt from the official website (veracrypt.fr) or its official SourceForge/GitHub repository.

Digital Signature Check
legitimate VeraCrypt installers are digitally signed by IDRIX. Right-click the installer > Properties > Digital Signatures. If the signature is missing, invalid, or signed by an unknown entity, delete it immediately.

Process Monitoring
Inspect running processes for AddInProcess32.exe. If this process is running without a clear parent application (like Microsoft Office add-ins) or is establishing network connections to unknown IPs or Discord CDN URLs, it is likely compromised.

Network Defense
Monitor or restrict network traffic to discord.com and discordapp.com API endpoints if your environment does not require Discord for business operations, as this is the C2 channel for the injector.

References
Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials, Cyber Security News. * Security News