From a VHDX File to a Remcos RAT, (Tue, Jun 16th)
Summary
A malicious ZIP archive was discovered containing a VHDX file. When mounted on modern Windows systems, this VHDX file automatically executes malicious JavaScript. This JavaScript is associated with the Remcos Remote Access Trojan (RAT).
IFF Assessment
FOE
The discovery of a new distribution method for the Remcos RAT indicates an evolving threat landscape and potential new attack vectors for defenders to be aware of.
Defender Context
Defenders should be vigilant about unexpected archives and the mounting of VHDX files, as this appears to be a novel distribution method for malware. Monitoring for Remcos RAT activity and its associated indicators of compromise will be crucial.