Threat Awareness – Phishing Campaign Uses REMCOS RAT to Exploit Victims

A phishing campaign has been identified by researchers at Fortinet where threat actors are using a new variant of the REMCOS (Remote Control System) remote access trojan (RAT). The phishing emails intend to trick victims into opening a malicious Excel attachment disguised as an order file. Once opened, the document exploits a vulnerability which sets off an infection chain ultimately leading to the delivery of a fileless variant of REMCOS.

The REMCOS RAT is widely used in cybercriminal activities and has unique qualities allowing it to maintain persistence and long-term control over compromised systems while exfiltrating sensitive information back to the threat actor. For a comprehensive overview and list of the indicators of compromise (IOCs), visit Fortinet.

Tips for Staying Safe Against Phishing

• Be Skeptical of Unexpected Requests: Treat any unexpected emails or messages with caution, especially those asking for sensitive information or urgent actions.
• Verify the Source: Always verify the sender’s email address and look for signs of impersonation before clicking links or opening attachments.
• Use Strong Multi-Factor Authentication: Use multi-factor authentication methods (though not exclusively) that are more secure, such as authenticator apps or hardware tokens.
• Educate Yourself and Others: Participate in cybersecurity training and stay informed about the latest phishing tactics. Share this knowledge with your colleagues.
• Practice Phishing Drills: Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as Teach Employees to Avoid Phishing.
• Not Sure, Call: If you are not sure that the source of an email is legitimate, call the supposed sender through previously established phone numbers to confirm the request’s validity.
• Fall for a Phish, Contact Your IT Department: If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do.