Cyber Security News

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign Excel file that exploits CVE-2017-0199.

By exploiting this vulnerability in Microsoft Office, attackers are able to embed malicious code within the file using OLE objects. 

It utilizes encryption and obfuscation techniques to conceal the malicious payload. Upon opening the file, the victim’s system executes a fileless variant of the Remcos RAT, granting attackers remote access and control. 

The malware campaign leverages the CVE-2017-0199 vulnerability to deliver a Remcos RAT via a phishing email containing an encrypted Excel file.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The attack chain involves OLE object exploitation, HTA application execution, and PowerShell commands to inject the RAT into a legitimate process, which has been exploited by various malware families, including LATENTBOT, FINSPY, and WingBird/FinFisher. 

oletools confirming that the excel file is encrypted

Recent campaigns in 2024 deploying RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook have targeted Government, Manufacturing, Technology/IT, and Banking sectors, primarily in Belgium, Japan, the United States, South Korea, Canada, Germany, and Australia.

It leverages a spearphishing attachment to entice victims into opening a deceptive Excel document, which exploits a vulnerability (CVE-2017-0199) to execute embedded OLE objects, which contain a malicious URL. 

This URL initiates a connection to a malicious server, downloading and executing a weaponized HTA file, ultimately compromising the victim’s system.

Embedded OLE object containing malicious URL

The Excel file exploits CVE-2017-0199 to deliver a malicious HTA application, which in turn executes a PowerShell script that downloads and runs a VBScript from a remote URL, which contains obfuscated data that is decoded and executed by PowerShell, initiating a chain of PowerShell processes to escalate the attack. 

While the final process downloads a JPEG file containing a base64-encoded ‘dnlib.dll’ library, which is decoded and loaded into memory for further malicious activity by leveraging various techniques to evade detection and achieve persistence in the target environment.

Downloaded JPEG file

The attack begins with PowerShell downloading a base64-encoded text file from a malicious URL and then processed by ‘dnlib.dll’ to create a .NET assembly of Remcos RAT, which is subsequently injected into the legitimate process ‘RegAsm’. 

According to Trellix, Remcos RAT then establishes persistence by injecting itself into other legitimate processes, evading traditional security defenses. 

IOC associated to Remcos RAT

Indicators of Remcos RAT presence include its keylogger file and associated IOCs, which utilize the MITRE ATT&CK techniques T1055.001, T1027, T1543.003, and T1071.001.

Attackers used a combination of advanced techniques to create a persistent threat by leveraging a vulnerability (CVE-2017-0199) in Microsoft Office to execute malicious code. 

It then downloaded additional tools like OLE objects, memory-only .NET assemblies, and scripts (.hta, vbs.txt) from compromised servers, which likely helped the attackers maintain persistence on the infected system and potentially steal data.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

14 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

14 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

15 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

16 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

16 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

17 hours ago