Introduction

Fortinet’s FortiGuard Labs has recently detected a dangerous phishing campaign that’s delivering a new variant of the notorious Remcos Remote Access Trojan (RAT). This sophisticated attack begins innocently enough—victims receive a phishing email that seems to be an order confirmation, cleverly enticing them to open a malicious Excel document attached to the email.

Attack Vector

Once opened, the Excel file exploits a known vulnerability in Microsoft Office (CVE-2017-0199), allowing it to download and execute an HTA (HTML Application) file undetected in the background. This file kick-starts the infection process by layering multiple scripting languages, including JavaScript, VBScript, and PowerShell, to bypass traditional security measures.

About Remcos RAT

Remcos, originally designed as a legitimate remote administration tool, has quickly evolved into a weapon for cybercriminals. With its impressive features allowing unauthorized access to sensitive information, control over victim devices, and the execution of additional malicious activities, Remcos represents a significant threat in the cyber landscape.

Advanced Techniques of the New Variant

However, this latest phishing campaign showcases even more alarming developments. The Remcos RAT variant is equipped with advanced obfuscation and anti-analysis techniques that make it remarkably hard to detect. Once inside a victim's device, the malware can identify debugging tools, dynamically call system API functions, and hide its malicious activity from the system's radar—operating surreptitiously in the PowerShell environment.

Persistence Mechanisms

The infection also modifies system registries, ensuring that it maintains its presence even after a restart of the infected device. Impressively, this variant of Remcos is capable of fileless execution, allowing it to operate in memory without saving traditional files on the disk. By exploiting undocumented APIs, it discreetly injects itself into a process seemingly unrelated to its operations, such as one named “Vaccinerende.exe,” effectively downloading, decrypting, and deploying additional malicious components straight into memory.

Conclusion

With remote administration tools like Remcos being deployed in increasingly imaginative ways by attackers, the cybersecurity threat landscape continues to evolve. This campaign serves as a grave reminder of the peril phishing tactics combined with sophisticated malware present. Experts recommend organizations rethink their email security protocols and ensure their systems are continuously updated and patched to guard against these evolving threats.

Call to Action

Stay vigilant: your next email could hold the key to a financial disaster!