{"id":22167,"date":"2023-12-06T23:42:07","date_gmt":"2023-12-06T19:42:07","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/remcos-rat-via-discord\/22167\/"},"modified":"2023-12-06T23:42:07","modified_gmt":"2023-12-06T19:42:07","slug":"remcos-rat-via-discord","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/remcos-rat-via-discord\/22167\/","title":{"rendered":"Remcos RAT via Discord"},"content":{"rendered":"<p>Since the beginning of the summer, Kaspersky systems have been recording an increase in the detection of Remcos remote-access \u00a0trojan attacks. The probable reason for this is a wave of malicious emails in which attackers try to convince employees of various companies to click on a link for malware installation.<\/p>\n<h2>Malicious letters<\/h2>\n<p>The bait that the attackers are using in this mailout isn\u2019t something extraordinary. They pose as a new client who wants to purchase some products or services and tries to clarify some information: the availability or prices of some merchandise, their compliance with some criteria, or something similar. What matters is that, in order to clarify the information, the recipient must click the link and read the list of these criteria or requirements. To make their letters more persuasive, cybercriminals often ask how quickly it will be possible to deliver the goods or ask about terms for international delivery. Of course, you shouldn\u2019t follow the link \u2014 it doesn\u2019t lead to a list, but to a malicious script.<\/p>\n<p>The attackers store their malicious script in an interesting place. Links have the address that looks like <strong>https:\/\/cdn.discordapp.com\/attachments\/<\/strong>. Discord is a completely legitimate communication platform, which allows users to exchange instant messages, make audio and video calls, and, most importantly, send various files. A Discord user can click on any file sent through this application and get a link that will make it available to an external user (this is necessary, for example, to quickly share a file via another messenger). It is these links that look like <strong>https:\/\/cdn.discordapp.com\/attachments\/<\/strong> with some set of numbers identifying a specific file.<\/p>\n<p>Discord is actively used by various gaming communities, but it\u2019s sometimes also used by companies to communicate within different teams and departments or even with customers. Therefore, systems that filter malicious content in emails often don\u2019t consider links to files stored on Discord servers as suspicious.<\/p>\n<p>Accordingly, if a recipient of the letter decides to follow such a link, he\u2019ll in fact download malicious JavaScript that imitates a text file. When the victim opens this file, malicious script will launch powershell which, in turn, will download the Remcos RAT to the user\u2019s computer.<\/p>\n<h2>What is Remcos RAT and how dangerous is it?<\/h2>\n<p>Theoretically, Remcos RAT \u2014 or Remote Control and Surveillance \u2014 is a program for remote administration, which was released by the company Breaking Security. But it has long been used by cybercriminals for espionage and taking control of computers running Windows. For example, in 2020, <a href=\"https:\/\/www.kaspersky.com\/blog\/covid-fake-delivery-service-spam-phishing\/35125\/\" target=\"_blank\" rel=\"noopener nofollow\">we wrote<\/a> about the use of Remcos RAT in malicious mailings that exploited the common delays in deliveries of goods during the coronavirus pandemic.<\/p>\n<p>Remcos RAT collects data about both the victim and their computer, and then serves as a backdoor through which attackers can take complete control of the system. They download additional malicious software and run it, collect account data, record logs of user activity, and so on.<\/p>\n<h2>How to stay safe<\/h2>\n<p>In order to ensure that the Remcos malware doesn\u2019t harm your company, we recommend using reliable security solutions both at the level of the <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">mail gateway<\/a> and on all <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">work devices<\/a> that have access to the internet. Thus, the malicious emails will be detected before they reach the mailboxes of employees, but even if attackers come up with a new delivery method, our endpoint protection solutions won\u2019t let to download it. Kaspersky Endpoint Security detects Remcos RAT as Backdoor.MSIL.Remcos or Backdoor.Win32.Remcos.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals send the Remcos remote-access trojan under the guise of letters from a new client.<\/p>\n","protected":false},"author":2730,"featured_media":22168,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917,1486],"tags":[2095,1799,714,692],"class_list":{"0":"post-22167","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"category-threats","10":"tag-mail","11":"tag-mailings","12":"tag-rat","13":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/remcos-rat-via-discord\/22167\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/remcos-rat-via-discord\/26753\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/remcos-rat-via-discord\/29503\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/remcos-rat-via-discord\/27021\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/remcos-rat-via-discord\/36680\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/remcos-rat-via-discord\/50011\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/remcos-rat-via-discord\/27267\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/remcos-rat-via-discord\/33037\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/remcos-rat-via-discord\/32660\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/rat\/","name":"RAT"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2730"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22167"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22167\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22168"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}