Cybersecurity researchers have identified a new phishing campaign leveraging a fileless variant of Remcos RAT malware. This attack capitalizes on known vulnerabilities to remotely control victims’ computers and extract sensitive data.
Attack Overview
• Initial Vector: Phishing email with a purchase order-themed lure.
• Payload: Malicious Microsoft Excel document exploiting a remote code execution flaw (CVE-2017-0199).
Technical Details
• Excel Exploit: Document triggers the download of an HTA file (“cookienetbookinetcahce.hta”) from a remote server.
• HTA File: Encapsulated in layers of JavaScript, Visual Basic Script, and PowerShell code to evade detection.
• Execution: The HTA file retrieves and executes an executable file, followed by running another obfuscated PowerShell program.
• Process Hollowing: Final stage involves process hollowing to deploy Remcos RAT directly in memory.
Capabilities of Remcos RAT
• Information Harvesting: System metadata, file access, clipboard content.
• Remote Commands: Execute commands/scripts, manage services, edit Registry.
• Surveillance: Enable camera/microphone, screen recording, altering wallpaper.
• Disruption: Disable keyboard/mouse input.
Related Threats
• Docusign APIs Abuse: Fake invoices through legitimate Docusign accounts.
• ZIP File Concatenation: Bypassing security tools to distribute remote access trojans.
Conclusion: These advanced phishing campaigns underscore the need for heightened cybersecurity measures. Organizations should prioritize employee education on phishing tactics and maintain up-to-date security protocols to mitigate such threats.