Cybersecurity researchers have uncovered a sophisticated phishing campaign deploying a fileless version of the Remcos Remote Access Trojan (RAT), using Microsoft Excel as the entry point to evade traditional security defenses. The attack begins with a phishing email crafted around a purchase order theme, aiming to persuade recipients to open a malicious Excel attachment. This document exploits a known remote code execution vulnerability in Microsoft Office (CVE-2017-0199), enabling attackers to deliver malicious files through seemingly benign documents. The vulnerability, with a CVSS score of 7.8, has been exploited to download an HTML Application (HTA) file, “cookienetbookinetcahce.hta,” which launches using the mshta.exe utility, making the attack harder to detect.
Once the HTA file is executed, it goes through multiple layers of obfuscation involving JavaScript, Visual Basic Script, and PowerShell code. This layered approach serves to hide malicious intent from detection tools and security analysts. The file’s primary function is to retrieve an executable from a remote server, which subsequently runs an additional PowerShell program cloaked with anti-analysis and anti-debugging mechanisms. This program uses advanced techniques like process hollowing to embed the Remcos RAT directly into system memory, bypassing the need for any permanent file on the infected system. By running exclusively in memory, this fileless method makes detection considerably more challenging, as conventional antivirus solutions are more attuned to identifying malicious files saved locally.
The capabilities of Remcos RAT are extensive and provide attackers with robust control over the infected systems. Through a command-and-control (C2) server, the attacker can harvest various types of information from the compromised host, including system metadata and sensitive user data. Furthermore, Remcos can be used to remotely execute commands, harvest files, terminate processes, alter system services, manipulate the Windows Registry, and capture clipboard content. The malware can even enable the infected system’s camera and microphone, record the screen, and disable input devices, granting attackers comprehensive surveillance and control over the target’s environment. This vast array of functions makes Remcos a powerful tool for data theft and cyber-espionage.
This latest development highlights the increasingly sophisticated tactics used by threat actors to bypass traditional security measures. In addition to this campaign, researchers have also noted other phishing schemes exploiting APIs from platforms like DocuSign and unconventional tactics like ZIP file concatenation to slip past defenses and reach users. These campaigns emphasize the need for organizations to adopt advanced security strategies that can detect fileless malware and identify malicious activity patterns. As attackers continue to evolve their approaches, comprehensive cybersecurity measures are essential to protect against these growing threats.