A sophisticated phishing campaign distributing a fileless variant of Remcos RAT, a commercial remote access tool offering extensive capabilities, including system resource management, remote surveillance, network management, and agent control.
The campaign initiates through phishing emails impersonating Vietnamese shipping companies, tricking recipients into opening attached Word documents under the pretense of viewing updated shipping documents.
Once opened, the Word file automatically downloads a remote RTF template from compromised URLs, setting the infection chain in motion.
The URL redirects through multiple shortening services (hxxps://go-shorty[.]killcod3[.]com/OkkxCrq and hxxps://tnvs[.]de/e4gUVc) before delivering the malicious RTF file (w.doc).
The campaign demonstrates advanced evasion techniques by disguising malicious payloads within shipping documents, targeting organizations unfamiliar with the infection mechanics.
Exploiting CVE-2017-11882 for Code Execution
The downloaded RTF file contains crafted, malformed equation data that triggers CVE-2017-11882, a known Remote Code Execution vulnerability in Microsoft Equation Editor (EQNEDT32.EXE).
When Word processes the remote template, the embedded shellcode executes automatically, initiating the payload delivery sequence. The vulnerability remains a viable attack vector years after disclosure, highlighting the importance of timely patching.
The shellcode downloads and executes a lightly obfuscated VBScript file, which contains Base64-encoded PowerShell code.
This PowerShell script downloads a .NET DLL module disguised as a legitimate system file (Microsoft.Win32.TaskScheduler) and embedded within an image file (optimized_MSI.png).
The .NET module serves dual purposes: persistence through Windows Task Scheduler and loading the Remcos payload into memory.
The .NET module downloads the Remcos agent payload (version 7.0.4 Pro) from hxxps://idliya[.]com and injects it into a newly spawned colorcpl.exe process using process hollowing.
The payload never touches disk, remaining entirely in memory a technique that evades file-based detection mechanisms. The compromised system executes the malicious scheduled task every minute, ensuring continuous persistence.
Remcos Capabilities Across Six Categories
This Remcos variant implements 211 command IDs distributed across six feature categories: System (screen capture, file management, registry editing), Surveillance (keylogging, camera/microphone recording, password recovery), Network (proxy configuration, DNS redirection), Communications (remote chat), Extra (DLL loading, credential clearing), and Remcos management (updates, reconnection).
Although the Remcos payload file remains fileless throughout the entire campaign, it can be dumped from the PowerShell process’s memory. As shown in Figure 13, the payload is a 32-bit executable (EXE) compiled with Microsoft Visual C++.
Fortinet protects customers through FortiGuard Web Filtering (blocking malicious URLs), FortiMail anti-phishing detection, and FortiGuard Antivirus signatures (XML/Agent.EDC!tr.dldr, MSOffice/CVE_2017_11882.DMP!exploit, W32/Rescoms.B!tr).
Organizations should enforce strict email gateway controls, turn off automatic template downloads in Microsoft Office, and keep current with CVE-2017-11882 patches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.