Cybercriminals Spread Remcos RAT via Excel Phishing Attack
New Phishing Campaign Distributes Fileless Remcos RAT: What You Need to Know
Cybersecurity researchers have recently uncovered a sophisticated phishing campaign that disseminates a new fileless variant of the notorious Remcos RAT (Remote Access Trojan). This alarming development highlights the evolving tactics of cybercriminals looking to exploit unsuspecting users. According to Fortinet FortiGuard Labs researcher Xiaopeng Zhang, the Remcos RAT provides purchasers with a robust suite of features aimed at remote computer control, but it has been misused by threat actors to harvest sensitive information and execute further malicious operations.
Understanding the Phishing Attack
The initial phase of this attack begins with a phishing email that cleverly employs purchase order-themed lures. These emails entice recipients to open a malicious Microsoft Excel attachment, which is designed to exploit a known remote code execution vulnerability (CVE-2017-0199, CVSS score: 7.8) in Microsoft Office. When the Excel document is opened, it invokes a sequence of actions that ultimately lead to the download and execution of a harmful HTML Application (HTA) file from a remote server.
- Phishing Email: Uses purchase order themes to lure victims.
- Excel Attachment: Contains malicious code exploiting Office vulnerability.
- HTA File: Downloads and executes malware from a remote server.
The Mechanics of the Attack
Once the HTA file is executed, it employs multiple layers of JavaScript, Visual Basic Script, and PowerShell code to evade detection. Its primary function is to retrieve and execute a binary file from the same server. This binary subsequently initiates another obfuscated PowerShell program, deploying an array of anti-analysis techniques to hinder detection efforts.
Zhang explains that this fileless variant of Remcos RAT operates by injecting the malware directly into the memory of the current process, thus bypassing traditional file-based detection methods. This allows the malware to harvest a wide range of information and execute commands issued by the attacker via a command-and-control (C2) server.
Capabilities of Remcos RAT
The fileless Remcos RAT is designed to perform various malicious actions, including:
- Harvesting system metadata and sensitive files.
- Executing remote commands and scripts.
- Capturing clipboard content and altering desktop settings.
- Activating the camera and microphone for surveillance.
- Downloading additional malicious payloads.
Broader Trends in Phishing Attacks
This discovery comes on the heels of Wallarm’s findings that threat actors are increasingly abusing Docusign APIs to send fake invoices that appear legitimate. By creating authentic Docusign accounts, attackers can craft tailored invoice templates, impersonating trusted brands and tricking users into signing documents that facilitate fraudulent payment requests.
Moreover, unconventional tactics such as ZIP file concatenation have emerged in phishing campaigns. This method involves appending multiple ZIP archives into a single file to exploit vulnerabilities in how different programs handle such files, allowing attackers to deliver malware undetected.
Conclusion
As cyber threats continue to evolve, staying informed about the latest phishing tactics is crucial for individuals and organizations alike. The emergence of fileless variants like Remcos RAT and the exploitation of legitimate services highlight the need for robust cybersecurity measures and awareness.
For more insights on cybersecurity trends and protective measures, explore our related articles or share your thoughts in the comments below.
Stay informed! Follow us on Twitter and LinkedIn for the latest updates in cybersecurity.