Fileless Remcos RAT Campaign Leverages CVE-2017-0199 Flaw

Fileless Remcos RAT
Excel document containing pixelated screenshot | Image: Trellix

In a newly uncovered advanced malware campaign, threat actors are using a complex, fileless approach to deliver the Remcos Remote Access Trojan (RAT), leveraging a benign-looking Excel document as the attack vector. The campaign, analyzed by Trellix researchers, reveals how cybercriminals continue to refine their tactics to evade detection and infiltrate systems without leaving traditional traces of malicious files.

At the heart of this campaign is CVE-2017-0199, a critical vulnerability in Microsoft Office and WordPad that allows attackers to execute arbitrary code when users open specially crafted documents. The vulnerability is exploited through Object Linking and Embedding (OLE) objects, a method that allows attackers to embed malicious code in documents that appear harmless. In this case, the document used is an encrypted Excel file, cleverly disguising the payload.

Upon opening the Excel file, victims unknowingly trigger the download and execution of a malicious HTA (HTML Application) file, which initiates a series of PowerShell commands that ultimately inject the fileless Remcos RAT into the victim’s system.

The attack starts with a phishing email containing the weaponized Excel document, which tricks users into interacting with it. The file exploits CVE-2017-0199, launching OLE-embedded objects that connect to a malicious URL, triggering the download of an HTA file.

This HTA file is key to the attack, as it initiates a chain of PowerShell commands. The commands are obfuscated, making them difficult for security tools to detect. The attack progresses by executing a VBScript that appears to be a legitimate utility but, upon closer inspection, contains obfuscated data designed to stealthily execute the next stage of the attack.

The final payload, the Remcos RAT, is delivered in a fileless manner. PowerShell commands download and load the RAT directly into memory without writing it to disk, significantly reducing the chances of detection. This RAT is then injected into a legitimate Windows process (RegAsm), where it executes and establishes persistence on the system.

Remcos RAT is a powerful remote access tool that allows attackers to maintain control over the compromised system, exfiltrate data, log keystrokes, and perform other malicious activities, all while evading traditional endpoint security solutions.

Trellix researchers noted that the campaign predominantly targets key industries, including government, manufacturing, technology, and banking sectors. Geographically, the attacks have been observed in countries such as Belgium, Japan, the United States, South Korea, Canada, Germany, and Australia.

Related Posts: