Skip to content

Hackers combine Remcos RAT and TargetCompany ransomware in a sophisticated campaign

  • by
  • 3 min read

It seems that cybercriminals have evolved their tactics. Cybersecurity researchers have unearthed a complex and highly coordinated malware campaign that merges the Remcos Remote Access Trojan (RAT) with the TargetCompany ransomware.

This sophisticated attack strategy employs Fully Undetectable (FUD) packers, adding layer of obfuscation to the malicious payloads, thereby evading conventional security measures, researchers from Trend Micro concluded, after leveraging the telemetry data and external threat intelligence sources.

The attack initiates with a well-established technique, exploiting vulnerable SQL servers to establish a foothold and ensure persistence. The attackers, however, showcased remarkable adaptability. When existing security solutions thwarted initial attempts, the attackers pivoted to the FUD-wrapped version of their binaries, exploiting the layered obfuscation to ensure the successful execution of the Remcos RAT.

TargetCompany ransomware infection chain utilising Remcos RAT. | Source: Trend Micro

A significant revelation within this campaign is the utilization of Metasploit, specifically Meterpreter. While the attackers behind the TargetCompany ransomware have not typically employed such tools, this instance marks a departure from convention.

This campaign underscores the rise of a technique previously used in other campaigns abusing OneNote, which effectively employed specific “cmd x PowerShell” loaders. This method, gradually gaining traction, was embraced by TargetCompany ransomware operators in early 2022. The strategy’s evolution highlights the adaptive nature of cybercriminals in their quest for evasive tactics.

Command-and-control communication by TargetCompany ransomware. | Source: Trend Micro

Researchers found distinctions in behaviour across different loaders. While AsyncRAT employs decompression and decryption, loaders associated with Remcos and TargetCompany ransomware employ decompression exclusively, maintaining structural similarities while altering appearances.

A noteworthy differentiation emerges in the handling of the PowerShell file. The loaders linked to Remcos and TargetCompany ransomware exclusively locate the deobfuscated Remcos CMDFile in the SysWOW64 folder, thus highlighting the campaign’s inherent targeting and adaptability.

This discovery not only sheds light on the complexity of modern cyber threats but also emphasises the pressing need for proactive and multi-layered defence mechanisms; FUD packers serve as a formidable challenge to conventional security tools, necessitating the adoption of advanced solutions such as AI and machine learning-bassed file checking and behaviour monitoring.

In the News: Digital Personal Data Protection Bill: Critical Analysis

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: