By LBT Technology Group, LLC. on Thursday, 14 November 2024
Category: Security

Phishing campaign spreading Remcos RAT malware

Threat update

​A new phishing campaign spreading a fileless variant of Remcos RAT malware has been discovered. Read below to learn how this could impact your organization.

Technical Detail and Additional Info

What is the threat?

​This campaign delivers malware through a phishing email containing a malicious Excel attachment, exploiting an existing Microsoft vulnerability, CVE-2017-0199, to silently execute its code. When opened, the Excel file takes advantage of the vulnerability, triggering the download of an HTML Application (HTA) file. The HTA file is executed using Microsoft's mshta.exe, which runs scripts to download an executable named "dllhost.exe." Once on the victim's device, this file facilitates the installation of the Remcos RAT malware, giving cybercriminals remote control over the infected system.

Why is it noteworthy?

​Threat actors have specially designed the HTA file to escape detection, wrapping it in multiple layers of PowerShell, JavaScript, and Visual Basic Script code. Furthermore, the malware employs various anti-analysis and anti-debugging techniques, alongside running an additional obfuscated PowerShell script.

Additionally, the malware uses process hollowing to download and execute Remcos RAT. Rather than saving the Remcos file locally, it injects it directly into the memory of a running process, creating a fileless version of the malware.

Remcos RAT allows attackers to remotely issue commands via a command-and-control (C2) server and can gather a wide range of data from the infected system, including system metadata. Using these commands, the malware can harvest files, list and terminate processes, control system services, modify the Windows Registry, run commands and scripts, take screenshots, alter the victim's desktop wallpaper, activate the camera and microphone, download additional payloads, record the screen, and even disable keyboard and mouse input.

Indicators of Compromise:

192.3.220.22
107.173.4.16

What is the exposure or risk?

​The attack involves creating a legitimate, paid DocuSign account, giving attackers the ability to modify templates and use the API directly. These accounts are then exploited to craft fraudulent invoice templates that resemble e-signature requests from well-known brands, such as Norton Antivirus.

Unlike traditional phishing attacks that rely on deceptive emails and malicious links, these incidents use authentic DocuSign accounts and templates to impersonate trusted companies, catching both users and security systems by surprise. If users e-sign the document, the attacker can use the signed version to request payment from the organization outside of DocuSign or send it through DocuSign to the finance department for processing.

What are the recommendations?

 LBT Technology Group recommends the following actions to protect your environment against these malware attacks:

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.

Related Posts

Leave Comments