Invisible Intruder: Fileless Remcos RAT Hides in Shipping Emails

A sophisticated new phishing campaign has been detected in the wild, leveraging a fileless variant of the notorious Remcos RAT (Remote Access Trojan) to evade detection and seize control of victim systems. FortiGuard Labs discovered the campaign, which employs a complex infection chain designed to bypass traditional security measures by never writing the malware’s core payload to the disk.

The attack begins with a deceptive phishing email disguised as a message from a shipping company in Vietnam. The subject line ironically includes the tag [virus detected], likely a quirk of the attacker’s own compromised infrastructure or a failed attempt at reverse psychology, but the lure itself invites the user to view an “updated shipping document” attached as a Word file.

“The captured phishing email, disguised as a message from a shipping company in Vietnam, lures the recipient to open an attached Word file to view an updated shipping document,” the report explains.

Once the victim opens the malicious Word document, a cascading series of automated steps is triggered. The document exploits a known vulnerability (CVE-2017-11882) in the Microsoft Equation Editor to execute code without user interaction.

The attack flow is intricate:

• External Template Loading: The Word file connects to a URL-shortening service to download a malicious RTF file.
• VBScript & PowerShell: The RTF file triggers the exploit, downloading and executing a VBScript file that contains Base64-encoded PowerShell code.
• Steganography: The PowerShell code downloads a .NET module hidden inside a legitimate-looking image file (optimized_MSI.png).
• Process Hollowing: This is where the campaign turns “fileless.” The .NET module injects the Remcos payload directly into a new, legitimate system process (colorcpl.exe).

“The Remcos payload (version 7.0.4 Pro) is never written to a local file. It is downloaded into memory and injected into a legitimate system process via process hollowing,” the report warns.

The malware deployed is Remcos version 7.0.4 Pro. While Remcos is marketed as a legitimate remote administration tool, it is frequently abused by threat actors for espionage.

The analysis by FortiGuard Labs reveals that this variant is configured for extensive surveillance, including:

• Screen Logging: Capturing the victim’s screen and sending it to the C2 server.
• Keylogging: Recording all keystrokes to steal credentials.
• Browser Theft: Stealing history, cookies, and login data.
• Remote Control: Full access to the file system, registry, and command line.

The malware maintains persistence by creating a scheduled task that re-executes the malicious VBScript every minute, ensuring the attacker retains access even if the computer is rebooted.

Related Posts:

• DarkCloud Rises: New Fileless Stealer Uses PowerShell & Process Hollowing to Evade Detection
• Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
• Stealthy REMCOS Backdoor Delivered by LNK Files: Bypasses Antivirus with Multi-Stage PowerShell Attack
• Remcos RAT: Hackers Target Ukrainian Government with Surveillance Tool