Hackers Exploit Microsoft Office Flaw in New Remcos RAT Phishing Attack

Hackers are exploiting a Microsoft Office vulnerability in a new phishing campaign to deploy the Remcos RAT.

Published: Nov 12, 2024

microsoft security hero approved

SHARE ARTICLE

Key Takeaways:

  • A new phishing campaign is using malicious Excel files to deploy a Remcos RAT variant.
  • The malware evades detection by layering its code in multiple scripts and encoding methods.
  • The hackers exploit an old Microsoft Office flaw to gain full remote access to Windows devices.

Cybersecurity researchers have discovered a new phishing campaign enabling threat actors to deploy a modified variant of the Remcos RAT (Remote Access Trojan). This new malware grants cybercriminals complete control over infected Windows devices.

Researchers at Fortinet’s FortiGuard Labs report that this phishing campaign begins with an email designed to lure victims into clicking on an Excel file disguised as a business order notification. The file exploits a remote code execution vulnerability (CVE-2017-0199) to install malware on the target device by taking advantage of how Microsoft Office and Word parse certain files.

“Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis,” the researcher explained. “Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Some of the key data are hidden in these files.”

Hackers Exploit Microsoft Office Flaw in New Remcos RAT Phishing Attack
dllhost.exe about to run the PowerShell program (Image Credit: Fortinet)

The infected host also downloads a malicious executable file, which is processed through a 32-bit PowerShell command to deploy the Remcos RAT. The malware then alters the system registry to ensure it launches automatically at startup.

Once active, Remcos gathers basic information from the victim’s device, including the operating system, IP address, and other system details. The encrypted data is sent to a Command and Control (C2) server, where it registers the victim’s device as online and ready for the attacker’s control.

How to protect your organization against Remcos RAT phishing attacks?

To prevent these attacks, organizations should watch for red flags like unfamiliar senders, urgent requests, and suspicious attachments. Additionally, administrators should keep Microsoft Office updated to minimize the risk of vulnerabilities being exploited. Implementing advanced email security measures is also recommended to detect and block malicious attachments effectively.

Customers should deploy advanced endpoint security solutions to help detect and respond to suspicious activity. Regular employee training is also essential to protect businesses against phishing attacks.

SHARE ARTICLE