In the world of cyber threats, phishing is one of the oldest tricks in the book. Yet, even after years of user education and technological defenses, it remains a highly effective method for attackers to infiltrate networks.
Recently, a new campaign involving the latest variant of Remcos RAT (Remote Administration Tool) has surfaced, using phishing emails and an outdated security flaw to slip past defenses and gain control of victim devices.
Let’s break down how this campaign works, why it’s effective, and how organizations can protect themselves.
[ICL01] [ICL02] The phishing email
The Hack: Old Vulnerabilities, New Victims
The attackers behind this campaign are using a well-known vulnerability, CVE-2017-0199, which enables remote code execution. By embedding malicious scripts in seemingly harmless Excel files, the attackers have found a way to exploit this old vulnerability to bypass traditional security measures.
When an unsuspecting user opens the infected Excel file, the vulnerability is triggered, setting off a series of malicious downloads. In the final stage, Remcos RAT is installed on the victim’s device, allowing attackers to access and control it remotely.
The Tools: Familiar Files with Dangerous Payloads
This campaign is particularly sneaky because it uses everyday tools that users trust, such as Excel files. People receive spreadsheets as part of daily work, which makes them less likely to question their authenticity. By leveraging an outdated vulnerability and a common filetype, attackers ensure that their initial penetration method looks as inconspicuous as possible.
The process involves a hidden HTMLApplication (HTA) file, which initiates a chain of malicious scripts. These scripts load Remcos RAT, a powerful tool that allows attackers to spy on, control, and steal information from infected devices—all while evading detection.
Workflow of the entire phishing campaign
The Process
After the Excel file is opened, a hidden HTA file is downloaded and executed in the background using Windows' native mshta.exe. The HTA file runs a script to download and execute dllhost.exe, which injects malicious code into a legitimate Windows process through a technique called process hollowing.
The Targets: Who’s at Risk?
This type of attack poses a significant threat to individuals and organizations in data-sensitive industries such as finance, insurance, and government. Phishing emails targeting these sectors may contain documents appearing to be invoices, policy documents, or financial statements. The reliance on familiar file types, combined with a known vulnerability, means that any organization or individual handling sensitive information is at risk.
Mitigations
Patch Legacy Vulnerabilities: Regular updates are crucial for closing known vulnerabilities likeCVE-2017-0199.
Strengthen Anti-Phishing Protocols: Use email security tools that analyze attachment behavior before delivering emails to end users.
Memory-Only Threat Detection: Since this RAT executes in memory, endpoint security solutions with memory-scanning capabilities can detect in-memory threats more effectively.
Application Hardening: Enforce strict execution policies for applications like mshta.exe that are commonly exploited for fileless malware attacks.
Behavioral Analytics: Implement anomaly detection to identify unusual processes, such as process hollowing, that can signal malicious activity even if no files are written to disk.
.png)
.png)