EXECUTIVE SUMMARY:
A phishing campaign is actively targeting users in India by disguising malware as a routine GST debit note. The attack delivers a powerful remote access tool called Remcos RAT through a cleverly constructed multi-stage loader, giving attackers deep and persistent control over infected systems. The infection begins when an unsuspecting victim receives a phishing email carrying a malicious archive attachment.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A phishing campaign is actively targeting users in India by disguising malware as a routine GST debit note. The attack delivers a powerful remote access tool called Remcos RAT through a cleverly constructed multi-stage loader, giving attackers deep and persistent control over infected systems. The infection begins when an unsuspecting victim receives a phishing email carrying a malicious archive attachment.[emaillocker id="1283"]
Once extracted, the archive drops a file named "GST Debit Note Apr_26 .com," which turns out to be a executable. The file is both packed and unsigned, and it contains embedded Turkish-language artifacts while disguising itself as a legitimate brick-building game to appear completely harmless. The campaign does not stop at Remcos. Further investigation revealed that similar samples linked to the same infrastructure were also delivering Agent Tesla, Phantom Stealer, Dark Cloud, Red Line Stealer, MassLogger variants, Formbook, xworm, and Snake keyloggers.
This strongly points to a loader-as-a-service model, where the delivery infrastructure stays consistent and only the final payload changes. The sheer breadth of this operation makes it a serious and ongoing threat to businesses and individuals across the region.
THREAT PROFILE:
|
REFERENCES:
The following reports contain further technical details:
https://labs.k7computing.com/index.php/a-multi-stage-steganographic-loader-campaign-deploying-diverse-payloads-globally/