Threat actors have recently enhanced the commercially available Remcos remote access tool, transforming it into a more sophisticated malware variant. By enveloping its malicious code in multiple layers of diverse scripting languages—such as JavaScript, VBScript, and PowerShell—these attackers aim to evade detection and maintain full control over Microsoft Windows devices.
Insights from Fortinet researcher Xiaopeng Zhang reveal a new campaign leveraging this advanced version of the Remcos RAT, which exploits a known remote code execution (RCE) vulnerability linked to unpatched Microsoft Office and WordPad applications. The attack typically begins with a phishing email designed to entice users into clicking on an Excel file disguised as a business order. Upon activation, this file exploits the CVE-2017-0199 vulnerability, subsequently downloading the malware payload.
Remco’s New Version Is Good at Avoiding Analysis
The malware’s code is intricately layered, utilizing various encoding methods such as Base64 and URL encoding, alongside different scripting languages, to shield itself from detection and analysis. Once the executable file, dllhost.exe, is launched, it extracts a series of files into the %AppData% folder, concealing critical data within these files.
From this point, the host executes a heavily obfuscated PowerShell script that operates solely on the 32-bit PowerShell process. The malware then deploys self-decryption code, cleverly hidden beneath a complex array of unnecessary code to further evade scrutiny. This latest iteration of the malicious Remcos RAT employs several sophisticated evasion techniques throughout the attack chain. These include the installation of a vectored exception handler and the inconsistent invocation of system APIs, complicating tracking efforts. Notably, it utilizes a function called “ZwSetInformationThread()” to detect the presence of debuggers.
Zhang elaborates, stating, “The malicious code invokes API ZwSetInformationThread() with the argument ThreadHideFromDebugger (0x11) and the current thread (0xFFFFFFFE). This Windows mechanism can obscure a thread’s existence from debuggers. If a debugger is attached, the process exits immediately upon calling this API.”
Additionally, the malware employs API hooking techniques to further avoid detection. “The malicious code simulates the execution of multiple API instructions initially, then jumps to the API to execute subsequent instructions. If any detection conditions are triggered, the current process (PowerShell.exe) may become unresponsive, crash, or exit unexpectedly,” the report notes.
Once the malware is primed, threat actors download an encrypted file containing the malicious version of Remcos RAT, executing it directly in the current process’s memory, effectively rendering this variant fileless.
Defend With Patching, Training, and Endpoint Protection
According to Zhang, Remcos gathers basic information from the victim’s device, encrypting and transmitting this data to its command and control (C2) server to confirm that the device is online and ready for manipulation.
Despite the advanced anti-analysis and obfuscation techniques employed, Darren Guccione, CEO and founder of Keeper Security, emphasizes that low-tech phishing and social engineering tactics remain among the most significant cybersecurity threats faced by enterprises. “Preventing these attacks necessitates a blend of technical defenses and employee awareness,” he asserts. “Identifying red flags—such as unusual senders, urgent requests, and suspicious attachments—can significantly mitigate human error. Regular training and robust security measures empower employees to serve as the first line of defense.”
Stephen Kowski, field CTO for SlashNext Email Security+, advocates for prioritizing robust endpoint security and implementing a solid patch management strategy. “Protection demands a multi-faceted approach: ensuring Microsoft Office is fully patched, employing advanced email security to detect and block malicious attachments in real-time, and deploying modern endpoint security to recognize suspicious PowerShell behaviors,” Kowski advises. “Given that this attack relies on social engineering through phishing emails, organizations must ensure their employees receive ongoing security awareness training focused on identifying suspicious attachments and order-themed lures.”
