Attackers are attempting to deliver Remcos remote access tool (RAT) payloads on the systems of small businesses via phishing emails impersonating the U.S. Small Business Administration (U.S. SBA).
They are taking advantage of the financial problems experienced by SMBs during the current COVID-19 pandemic to lure them into opening malicious attachments camouflaged as disaster assistance grants and testing center vouchers.
Despite using broken English within the phishing emails, the malicious actors made sure that the overall layout is as close as possible to the real thing, using the official U.S. SBA logo and footer info as IBM X-Force Threat Intelligence researchers found.
“The victim is presented with an application number and is urged to complete the application before March 25th,” they say. “In order to do this, victims are requested to sign the attached form and upload it to the SBA website.”
Also, since the attackers’ method of asking for grant information is identical to the process used by the real U.S. SBA, some SMBs might fall for this trick and open the malicious attachment.
Delivering the Remcos RAT
Remcos RAT, the final payload, is delivered via an overly complicated infection chain involving an .IMG file containing an .ISO image that drops a malicious PDF document.
The PDF will then drop and execute a VBS script that downloads and launches the Remcos RAT from a Google CDN after saving it on the victim’s device as Brystbenene6.exe.
Once Remcos is installed on the target’s computer, the attackers gain full control over the machine which allows them to steal sensitive information like user credentials and browser cookies.
The operators behind this campaign can also download, upload, and execute malicious code and VBS scripts, take screenshots, steal their clipboard contents, use the compromised machines as proxies for other malicious purposes, as well as automate any of these tasks.
“Currently, there are a large number of companies facing severe financial complications due to the coronavirus outbreak,” the researchers explain.
“It is not uncommon for those businesses to apply for governmental help from the SBA, which makes them especially susceptible to these kinds of malware campaigns.”
Economic stimulus: the perfect bait
This campaign’s timing is perfect considering that small business owners are eagerly waiting for information about loans or help they could receive to survive during the pandemic given the economic stimulus checks considered by the U.S. Government.
A week ago, FBI’s Internet Crime Complaint Center (IC3) warned of ongoing phishing attacks that use fake government economic stimulus checks as a lure to steal personal information from potential victims.
“Look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government,” IC3’s alert said.
“While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money.”
The FBI issued a similar warning about scammers impersonating the Internal Revenue Service (IRS) in 2008 while trying to steal taxpayers’ sensitive information using, again, economic stimulus checks as bait.