Friday, December 6, 2024
HomeCVE/vulnerabilityBeware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

Published on

SIEM as a Service

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign Excel file that exploits CVE-2017-0199.

By exploiting this vulnerability in Microsoft Office, attackers are able to embed malicious code within the file using OLE objects. 

It utilizes encryption and obfuscation techniques to conceal the malicious payload. Upon opening the file, the victim’s system executes a fileless variant of the Remcos RAT, granting attackers remote access and control. 

- Advertisement - SIEM as a Service

The malware campaign leverages the CVE-2017-0199 vulnerability to deliver a Remcos RAT via a phishing email containing an encrypted Excel file.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The attack chain involves OLE object exploitation, HTA application execution, and PowerShell commands to inject the RAT into a legitimate process, which has been exploited by various malware families, including LATENTBOT, FINSPY, and WingBird/FinFisher. 

oletools confirming that the excel file is encrypted

Recent campaigns in 2024 deploying RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook have targeted Government, Manufacturing, Technology/IT, and Banking sectors, primarily in Belgium, Japan, the United States, South Korea, Canada, Germany, and Australia.

It leverages a spearphishing attachment to entice victims into opening a deceptive Excel document, which exploits a vulnerability (CVE-2017-0199) to execute embedded OLE objects, which contain a malicious URL. 

This URL initiates a connection to a malicious server, downloading and executing a weaponized HTA file, ultimately compromising the victim’s system.

Embedded OLE object containing malicious URL

The Excel file exploits CVE-2017-0199 to deliver a malicious HTA application, which in turn executes a PowerShell script that downloads and runs a VBScript from a remote URL, which contains obfuscated data that is decoded and executed by PowerShell, initiating a chain of PowerShell processes to escalate the attack. 

While the final process downloads a JPEG file containing a base64-encoded ‘dnlib.dll’ library, which is decoded and loaded into memory for further malicious activity by leveraging various techniques to evade detection and achieve persistence in the target environment.

Downloaded JPEG file

The attack begins with PowerShell downloading a base64-encoded text file from a malicious URL and then processed by ‘dnlib.dll’ to create a .NET assembly of Remcos RAT, which is subsequently injected into the legitimate process ‘RegAsm’. 

According to Trellix, Remcos RAT then establishes persistence by injecting itself into other legitimate processes, evading traditional security defenses. 

IOC associated to Remcos RAT

Indicators of Remcos RAT presence include its keylogger file and associated IOCs, which utilize the MITRE ATT&CK techniques T1055.001, T1027, T1543.003, and T1071.001.

Attackers used a combination of advanced techniques to create a persistent threat by leveraging a vulnerability (CVE-2017-0199) in Microsoft Office to execute malicious code. 

It then downloaded additional tools like OLE objects, memory-only .NET assemblies, and scripts (.hta, vbs.txt) from compromised servers, which likely helped the attackers maintain persistence on the infected system and potentially steal data.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...