Delivery Service Phishing Campaign Attempts to Distribute Remcos RAT

Summary

The NJCCIC has observed multiple phishing campaigns consistent with open-source reporting in which cyber-criminals are exploiting the increase in delivery demand due to COVID-19 to distribute the Remcos remote access trojan (RAT). The emails in these campaigns purport to be sent from delivery service companies to inform users of delivery issues such as problems with package deliveries, signatures needed, or other in-person tasks required to convince their target to download or open the ISO attachment for more information or further action. If opened, the Remcos trojan will be installed, which provides full control over the device and the ability to steal data, install other malware, or force the device to join a botnet. The emails in these campaigns may contain spelling and grammatical errors; logos of popular delivery service companies, such as UPS, FedEx, and DHL; or other malicious attachment types—such as IMG, ZIP, ACE, or RAR—containing an executable file using a misleading PDF icon. In addition, Microsoft Security Intelligence reported on Remcos campaigns using similar tactics and techniques claiming to be sent from the US Small Business Administration (SBA), US Centers for Disease Control (CDC), and the American Institute of CPAs.

Recommendations

The NJCCIC reminds users to remain especially vigilant during this time and exercise caution with COVID-19-themed emails, social media posts, and websites. We also advise users to be cautious with attachments, links, and spoofed domains received from unknown contacts; navigate directly to authentic vendor websites; and keep applications up to date. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication.