Headline
Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows
This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to…
This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to infect Windows systems, steal data, and gain remote control. Learn more about its attack methods, evasion tactics, and the potential impact on users.
Cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a dangerous phishing campaign distributing a new Remcos RAT (Remote Access Trojan) variant. This powerful malware, sold commercially online, targets Microsoft Windows users and allows threat actors to remotely control infected computers.
Remcos RAT being sold online (Screenshot via Fortinet)
According to Fortinet’s findings, shared with Hackread.com, this campaign was initiated with a deceptive phishing email disguised as an order notification (OLE Excel document). Upon opening the attached malicious Excel document, the CVE-2017-0199 vulnerability is exploited to download and execute an HTML Application (HTA) file.
For your information, CVE-2017-0199 is a Remote Code Execution vulnerability that exploits Microsoft Office and WordPad’s parsing of specially crafted files, allowing the MS Excel program to display the content.
This HTA file, crafted with multiple layers of obfuscation and its code written in different scripts, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, delivers the primary payload.
It then downloads a malicious executable (dllhost.exe) and executes it via a 32-bit PowerShell process to extract and deploy the Remcos RAT. The malware modifies the system registry to automatically launch itself upon system startup to ensure persistence.
Remcos connects to a C&C server and sends a registration packet containing system, user, network, and version information about the infected system, and receives commands for information gathering, file operations, remote execution, keylogging, screen recording, and webcam capture.
This new variant employs multiple persistence mechanisms, including advanced anti-analysis techniques like Vectored Exception Handling. This creates a custom exception handler to intercept/handle execution exceptions preventing debugging techniques like single-stepping.
Since it doesn’t store API names directly, Remcos uses hash values to identify APIs, extracting addresses from the Process Environment Block (PEB) by matching hash values, which makes static analysis more challenging as tools cannot easily identify the functions being called.
It also detects debuggers’ presence by checking debug registers (DR0 to DR7), monitoring API calls commonly used by debuggers, and using the ZwSetInformationThread() API to hide the current thread from debuggers. Furthermore, it uses the ZwQueryInformationProcess() API to detect if a debugger is attached to the process and take evasive actions.
Process hollowing is another technique it uses for evading detection. Researchers found that the malware suspends a newly created legitimate process (Vaccinerende.exe), injects its code into the memory, and then resumes it, making it a persistent threat.
Attack flow and one of the malicious emails used in the attack (Screenshot via Fortinet)
“The malicious code adds a new auto-run item to the system registry to maintain persistence and maintain control of the victim’s device when it is restarted,” researchers noted in their report.
To protect yourself, avoid clicking on links or attachments in emails unless they are legitimate, use security software and antivirus software, keep software updated with the latest patches, and consider Content Disarm and Reconstruction (CDR) service to remove embedded malicious objects from documents before opening them.
- P2Pinfect Botnet Now Targets Servers with Ransomware
- ValleyRAT Hits Chinese Windows Users in Multi-Stage Attack
- Rust-Based Injector Deploys Remcos RAT in Multi-Stage Attack
- SteelFox Malware Posing as Popular Software, Steal Browser Data
- Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer
Related news
More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,
Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said. "Another noteworthy characteristic of this malware is its
The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains
By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.