It looks like we are seeing a few changes to the Remcos RAT install & persistence method. Over the last couple of weeks I have noticed a few tweaks to the persistence & auto start of several Remcos Rat versions. Today it has changed again to try to bypass protections. This all starts with the usual spam email, today’s ( or rather last night’s) was a fake invoice in a .iso / .img container. As you c an see from the virustotal reports .img containers are generally pretty poorly detected so are more likely to bypass perimeter defences. Once the … Continue reading →