Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

March 5, 2025, 3:03 p.m.

Description

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remcos RAT and other malware families. From our analysis, it seems to be targeting European institutions.

External References

https://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered
https://otx.alienvault.com/pulse/67c8664cabae3f59536c42e2
Tags
rat
phishing
powershell
remcos
2025-03-05
zip
vb script

Date

  • Created: March 5, 2025, 2:57 p.m.
  • Published: March 5, 2025, 2:57 p.m.
  • Modified: March 5, 2025, 3:03 p.m.

Indicators

  • 2bd8b2423cae2cdbd1145f4899ebe42762b8a46787a007a14635ece512ca999f
  • ef523c286eea072a9afd853f1c09629eaad923d3283865182ff0f75899fb5aa0
  • 04fc833b59af93308029d3e87c85e327a1e480508bc78b6a4e46c0cbd65ea8dc
  • 9d59b5a0c4dd1b91d41ea6fc2fe70f7cd2ab08064834ce51d0751a2deadc1a9b
  • 349be2b4b8180ee12e858a7bf43fdaa9af5fccef0c47c1a1408e7ae7265f338f
  • 55e5c8b8cba2ca2f152bf70dde2113f53f3dd42649cae535f55f0362b426e97c
  • https://0x0.st/8KuV.ps1
Download all indicators here!

Attack Patterns

  • Remcos