Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign Excel file that exploits CVE-2017-0199.

By exploiting this vulnerability in Microsoft Office, attackers are able to embed malicious code within the file using OLE objects. 

It utilizes encryption and obfuscation techniques to conceal the malicious payload. Upon opening the file, the victim’s system executes a fileless variant of the Remcos RAT, granting attackers remote access and control. 

The malware campaign leverages the CVE-2017-0199 vulnerability to deliver a Remcos RAT via a phishing email containing an encrypted Excel file.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The attack chain involves OLE object exploitation, HTA application execution, and PowerShell commands to inject the RAT into a legitimate process, which has been exploited by various malware families, including LATENTBOT, FINSPY, and WingBird/FinFisher. 

Recent campaigns in 2024 deploying RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook have targeted Government, Manufacturing, Technology/IT, and Banking sectors, primarily in Belgium, Japan, the United States, South Korea, Canada, Germany, and Australia.

It leverages a spearphishing attachment to entice victims into opening a deceptive Excel document, which exploits a vulnerability (CVE-2017-0199) to execute embedded OLE objects, which contain a malicious URL. 

This URL initiates a connection to a malicious server, downloading and executing a weaponized HTA file, ultimately compromising the victim’s system.

The Excel file exploits CVE-2017-0199 to deliver a malicious HTA application, which in turn executes a PowerShell script that downloads and runs a VBScript from a remote URL, which contains obfuscated data that is decoded and executed by PowerShell, initiating a chain of PowerShell processes to escalate the attack. 

While the final process downloads a JPEG file containing a base64-encoded ‘dnlib.dll’ library, which is decoded and loaded into memory for further malicious activity by leveraging various techniques to evade detection and achieve persistence in the target environment.

The attack begins with PowerShell downloading a base64-encoded text file from a malicious URL and then processed by ‘dnlib.dll’ to create a .NET assembly of Remcos RAT, which is subsequently injected into the legitimate process ‘RegAsm’. 

According to Trellix, Remcos RAT then establishes persistence by injecting itself into other legitimate processes, evading traditional security defenses. 

Indicators of Remcos RAT presence include its keylogger file and associated IOCs, which utilize the MITRE ATT&CK techniques T1055.001, T1027, T1543.003, and T1071.001.

Attackers used a combination of advanced techniques to create a persistent threat by leveraging a vulnerability (CVE-2017-0199) in Microsoft Office to execute malicious code. 

It then downloaded additional tools like OLE objects, memory-only .NET assemblies, and scripts (.hta, vbs.txt) from compromised servers, which likely helped the attackers maintain persistence on the infected system and potentially steal data.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar