Remcos, a Remote Access Trojan (RAT), has been actively used in cybercriminal campaigns since 2016. Recently, cybersecurity researchers have uncovered a new wave of malware operations involving Excel documents weaponized to deliver a fileless version of the Remcos RAT.
Weaponized Excel Document
The attack begins with a phishing email containing an encrypted Excel file. Upon opening the file, it exploits a critical vulnerability in Microsoft Office’s handling of OLE objects (CVE-2017-0199) to execute embedded malicious HTA files.
Payload Delivery
The HTA file triggers PowerShell commands to retrieve a VBScript from a remote location. The VBScript contains obfuscated data that, when processed by PowerShell, downloads a JPEG file containing the final payload.
Fileless Remcos RAT
The JPEG file contains a base64-encoded DLL that is decoded and loaded into memory. This DLL then downloads an encrypted text file, decodes it, and uses the loaded DLL to generate an in-memory .NET assembly of Remcos RAT. The RAT is then injected into a legitimate Windows process, such as ‘RegAsm.exe’, for execution.
Persistence and Evasion
Remcos establishes persistence through process injection, ensuring continuous access for attackers. The fileless approach, combined with advanced evasion techniques, minimizes traces of Remcos-associated behavior.
Targeted Sectors
The weaponized Excel documents have primarily targeted sectors such as government, manufacturing, IT, banking, and healthcare in countries including Belgium, Japan, USA, South Korea, Canada, Germany, and Australia.
Detection and Mitigation
To protect against this threat, organizations should implement the following measures:
- Keep software and applications up-to-date with the latest security patches.
- Use anti-malware software with real-time protection.
- Employ email and document filters to detect and block malicious attachments.
- Educate employees on phishing and social engineering techniques.
- Implement a layered security approach to detect and respond to potential breaches.
Conclusion
The weaponized Excel documents delivering Remcos highlight the evolving nature of cyber threats. By leveraging vulnerabilities and advanced evasion techniques, these threats pose significant risks to organizations. Businesses must stay vigilant and implement robust cybersecurity measures to mitigate such attacks effectively.
