A recent cyberattack has emerged targeting South Korean users with the Remcos remote access trojan (RAT), disguised as legitimate VeraCrypt installers. The campaign, primarily focused on individuals involved in illegal online gambling, also poses a risk to general users seeking encryption tools. Security experts warn that this ongoing operation employs sophisticated social engineering tactics to trick victims into downloading and executing the malicious software, leading to potential data theft and system compromise.
The threat actors behind this campaign utilize two primary distribution methods to spread the Remcos RAT. One involves fake database lookup programs designed to appear as tools for checking blocklists associated with gambling site accounts. The second method impersonates genuine VeraCrypt utility installers, a widely used encryption application. Both channels have been observed distributing the malware through web browsers and messaging platforms like Telegram, employing filenames such as “*****usercon.exe” and “blackusernon.exe” to deceive unsuspecting users.
Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials
Once executed, the deceptive installers deploy malicious VBS scripts hidden within their resource sections, according to ASEC analysts. These scripts are written to the system’s temporary directory with randomized filenames before activation. The malware then initiates a multi-stage infection chain, involving several layers of obfuscated VBS and PowerShell scripts. This complex process ultimately delivers the Remcos RAT payload, granting attackers complete remote control over compromised systems.
The impact of this campaign extends beyond mere unauthorized access. The Remcos RAT is equipped with extensive data theft capabilities. These include keylogging to capture keystrokes, screenshot capture to record user activity, control over webcams and microphones, and the ability to extract credentials stored in web browsers. Victims infected with this malware face significant risks, including the compromise of sensitive personal information, login credentials for various online accounts, and potentially financial data, all of which can be transmitted to the attackers’ command-and-control servers.
Multi-Stage Infection Chain and Payload Delivery
The attack employs a sophisticated eight-stage infection process meticulously designed to evade detection by security software. After the initial dropper executes, the malware progresses through five scripted downloader stages. These stages utilize obfuscated VBS and PowerShell scripts, often featuring misleading file extensions. Intermediate scripts contain dummy comments, junk data, and files that mimic image files, such as JPGs, while actually embedding Base64-encoded malicious payloads.
The infection chain culminates with a .NET-based injector. This component communicates with attackers through Discord webhooks. The injector is responsible for downloading the final Remcos RAT payload from remote servers, decrypting it, and then injecting it directly into the legitimate AddInProcess32.exe process. This injection technique helps the malware maintain persistence on the compromised system, making it harder to remove.
Notably, security researchers have discovered that certain variants of this malware incorporate Korean-language strings within their configuration settings and registry keys. This linguistic evidence strongly suggests that the campaign is specifically targeted towards Korean-speaking users, indicating a deliberate and localized offensive effort.
The ongoing nature of this attack means that users should remain vigilant. While the immediate focus appears to be on individuals connected to illegal online gambling, the broader implications for anyone downloading encryption tools are clear. Vigilance in verifying software sources and using robust security software can help mitigate the risks posed by such sophisticated malware campaigns. The full extent of the compromised data and the number of affected victims are still being assessed, and further developments are expected as security researchers continue to monitor the situation.