Key Takeaways:
Cybersecurity researchers have discovered a new phishing campaign enabling threat actors to deploy a modified variant of the Remcos RAT (Remote Access Trojan). This new malware grants cybercriminals complete control over infected Windows devices.
Researchers at Fortinet’s FortiGuard Labs report that this phishing campaign begins with an email designed to lure victims into clicking on an Excel file disguised as a business order notification. The file exploits a remote code execution vulnerability (CVE-2017-0199) to install malware on the target device by taking advantage of how Microsoft Office and Word parse certain files.
“Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis,” the researcher explained. “Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Some of the key data are hidden in these files.”
The infected host also downloads a malicious executable file, which is processed through a 32-bit PowerShell command to deploy the Remcos RAT. The malware then alters the system registry to ensure it launches automatically at startup.
Once active, Remcos gathers basic information from the victim’s device, including the operating system, IP address, and other system details. The encrypted data is sent to a Command and Control (C2) server, where it registers the victim’s device as online and ready for the attacker’s control.
To prevent these attacks, organizations should watch for red flags like unfamiliar senders, urgent requests, and suspicious attachments. Additionally, administrators should keep Microsoft Office updated to minimize the risk of vulnerabilities being exploited. Implementing advanced email security measures is also recommended to detect and block malicious attachments effectively.
Customers should deploy advanced endpoint security solutions to help detect and respond to suspicious activity. Regular employee training is also essential to protect businesses against phishing attacks.