Security News > 2022 > April > African banks heavily targeted in RemcosRAT malware campaigns
African banks are increasingly targeted by malware distribution campaigns that employ HTML smuggling tricks and typo-squatted domains to drop remote access trojans.
Cybercriminals interested in quick financial gains are a constant source of trouble for banks in Africa, which have resorted to deploying strict gateway security controls.
The payload. The payload arrives in the form of an HTML attachment on the said email message, which is a base64-encoded ISO archive file decoded on the fly and offered for download via a JavaScript blob on the browser.
The ISO file contains a Visual Basic Script file, which executes upon double click to create a new Registry key and run PowerShell commands that call various Windows API functions.
After a series of malicious code executions and Windows API abuse, GuLoader is assembled on the system and executed to download and runs the RemcosRAT malware.
As HP points out, the only way to break the infection chain would be to set the default application for script files from Windows Script Host to Notepad, which would reveal the real nature of the VBS file.