New Phishing Campaign Distributes Remcos Remote Access Trojan
/ 3 min read
Quick take - Fortinet’s FortiGuard Labs has identified a new phishing campaign that distributes a variant of the Remcos Remote Access Trojan (RAT) through deceptive emails containing a malicious Excel document that exploits a known vulnerability in Microsoft Office, allowing the malware to gain remote control over infected Windows systems.
Fast Facts
- Fortinet’s FortiGuard Labs has identified a phishing campaign distributing a variant of the Remcos Remote Access Trojan (RAT) targeting Windows systems.
- The campaign uses deceptive emails with a malicious Excel document that exploits the CVE-2017-0199 vulnerability to execute an obfuscated HTA file.
- The HTA file downloads and runs a malicious executable (dllhost.exe), installing the Remcos RAT, which modifies the system registry for persistence.
- Remcos RAT connects to a command and control server, enabling a range of malicious activities, including keylogging and webcam capture, while employing advanced anti-analysis techniques.
- Experts recommend avoiding suspicious links, using security software, keeping software updated, and utilizing Content Disarm and Reconstruction (CDR) services to mitigate risks.
New Phishing Campaign Distributing Remcos RAT
Fortinet’s FortiGuard Labs has recently uncovered a new phishing campaign that is distributing a variant of the Remcos Remote Access Trojan (RAT). This sophisticated malware targets Windows systems and is known for its ability to steal sensitive data and provide remote control over infected devices.
Phishing Campaign Details
The phishing campaign begins with deceptive emails that are crafted to resemble order notifications. These emails contain a malicious Excel document. When the recipient opens this document, it exploits the CVE-2017-0199 vulnerability, a Remote Code Execution flaw found in Microsoft Office and WordPad. This vulnerability allows the Excel application to execute an HTML Application (HTA) file.
The HTA file associated with this malware is heavily obfuscated and employs various scripting languages, including JavaScript, VBScript, Base64, URL encoding, and PowerShell. Through a 32-bit PowerShell process, the file downloads and executes a malicious executable named dllhost.exe, effectively deploying the Remcos RAT onto the victim’s system.
Persistence and Command Control
Once installed, Remcos RAT modifies the system registry to ensure that it launches automatically upon system startup, helping the malware maintain persistence on the infected machine. The RAT then connects to a command and control (C&C) server, sending a registration packet containing system, user, network, and version information. The malware can receive commands for a range of malicious activities, including information gathering, file operations, remote execution, keylogging, screen recording, and webcam capture.
This variant of Remcos RAT employs multiple persistence mechanisms and uses advanced anti-analysis techniques. One such technique is Vectored Exception Handling, which creates a custom exception handler to thwart common debugging techniques. Additionally, the malware uses hash values instead of direct API names to identify APIs, complicating static analysis efforts. It extracts addresses from the Process Environment Block (PEB) by matching these hash values and detects the presence of debuggers by monitoring debug registers and common API calls associated with debugging.
Evasion Techniques and Recommendations
To further evade detection, Remcos RAT utilizes the ZwSetInformationThread() API to hide its thread from debuggers and the ZwQueryInformationProcess() API to ascertain if a debugger is attached, allowing the malware to take evasive action. Another evasion technique includes process hollowing, where the malware injects its code into a legitimate process to mask its activity.
Experts recommend several measures to protect against such threats. Users should avoid opening suspicious links or attachments, utilize security and antivirus software, keep all software up to date, and employ Content Disarm and Reconstruction (CDR) services to mitigate the risk of infection from similar malware.
Original Source: Read the Full Article Here
