Script to Install Remcos Rat

Savier to day wrote about a trick that he saw being used to install remcos rat, a common remote access tool. The attacker added a bite order mark, f f f e as the first two bites, which causes the file to be displayed as u t f 16 in editus and the like. But if you're just executing the file, the bide order mark is ignored, and well, the file is just interpreted as asky or u t f eight,. And that way descript then runs just fine.