Threat update

A new phishing campaign spreading a fileless variant of Remcos RAT malware has been discovered. Read below to learn how this could impact your organization.

Technical Detail and Additional Info

What is the threat?

This campaign delivers malware through a phishing email containing a malicious Excel attachment, exploiting an existing Microsoft vulnerability, CVE-2017-0199, to silently execute its code. When opened, the Excel file takes advantage of the vulnerability, triggering the download of an HTML Application (HTA) file. The HTA file is executed using Microsoft's mshta.exe, which runs scripts to download an executable named "dllhost.exe." Once on the victim's device, this file facilitates the installation of the Remcos RAT malware, giving cybercriminals remote control over the infected system.

Why is it noteworthy?

Threat actors have specially designed the HTA file to escape detection, wrapping it in multiple layers of PowerShell, JavaScript, and Visual Basic Script code. Furthermore, the malware employs various anti-analysis and anti-debugging techniques, alongside running an additional obfuscated PowerShell script.

Additionally, the malware uses process hollowing to download and execute Remcos RAT. Rather than saving the Remcos file locally, it injects it directly into the memory of a running process, creating a fileless version of the malware.

Remcos RAT allows attackers to remotely issue commands via a command-and-control (C2) server and can gather a wide range of data from the infected system, including system metadata. Using these commands, the malware can harvest files, list and terminate processes, control system services, modify the Windows Registry, run commands and scripts, take screenshots, alter the victim's desktop wallpaper, activate the camera and microphone, download additional payloads, record the screen, and even disable keyboard and mouse input.

Indicators of Compromise:

192.3.220.22
107.173.4.16

What is the exposure or risk?

The attack involves creating a legitimate, paid DocuSign account, giving attackers the ability to modify templates and use the API directly. These accounts are then exploited to craft fraudulent invoice templates that resemble e-signature requests from well-known brands, such as Norton Antivirus.

Unlike traditional phishing attacks that rely on deceptive emails and malicious links, these incidents use authentic DocuSign accounts and templates to impersonate trusted companies, catching both users and security systems by surprise. If users e-sign the document, the attacker can use the signed version to request payment from the organization outside of DocuSign or send it through DocuSign to the finance department for processing.

What are the recommendations?

 LBT Technology Group recommends the following actions to protect your environment against these malware attacks:

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable endpoint detection & response (EDR) or antivirus and anti-malware with frequent updates to signature definitions. Using a multi-layered protection approach is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement advanced email filtering to detect and block phishing emails.

References

 For more in-depth information about the recommendations, please visit the following links:

• https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html
• https://www.rewterz.com/threat-advisory/cybercriminals-distribute-fileless-remcos-rat-malware-using-excel-exploit-active-iocs
• https://www.infosecurity-magazine.com/news/remcos-rat-variant-targets-windows/

If you have any questions, please contact LBT's Sales Engineer.