According to ASEC experts, the phishing emails are sent with the subject ‘This is a confirmation document for your financial transfer’ to deceive the recipients. This is not the first time the software has been used to steal users’ personal information. Microsoft disclosed a similar case in March, in which the Remcos RAT was used to target personnel in accounting and tax preparation firms in the United States.
It includes a compressed cab file that executes an EXE file (Remcos RAT) disguised as a PDF file icon. Upon execution, the virus collects screenshots, records keystrokes, and allows threat actors to take control of webcams and microphones. It also harvests history and passwords recorded on victims’ web browsers.