Cybercriminals Leverage Excel Vulnerability to Distribute Fileless Remcos RAT Malware

Nov 11, 2024
Vulnerability / Network Security

Cybersecurity experts have uncovered a new phishing campaign that disseminates a fileless variant of the well-known Remcos RAT malware. According to Fortinet FortiGuard Labs researcher Xiaopeng Zhang, “Remcos RAT offers a comprehensive suite of advanced features for remotely controlling computers purchased by buyers.” However, cybercriminals have exploited Remcos to gather sensitive information and execute further malicious actions on victims’ systems.

The attack typically begins with a phishing email that employs purchase order themes to entice recipients into opening a malicious Microsoft Excel attachment. This Excel document exploits a known remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8), allowing it to download an HTML Application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220[.]22”) and execute it using mshta.exe.

Cybercriminals Leverage Excel Vulnerability to Deploy Remcos RAT Malware

November 11, 2024
Vulnerability / Network Security

Recent cybersecurity investigations have unearthed a phishing campaign that propagates a new fileless variant of the notorious Remcos RAT (Remote Control Software). Fortinet FortiGuard Labs, through researcher Xiaopeng Zhang, provided an in-depth analysis, revealing that while Remcos RAT is marketed for legitimate remote desktop purposes, it has been misused by cybercriminals to exfiltrate sensitive data and gain unauthorized access to victims’ systems.

The attack is initiated through phishing emails that entice recipients with purchase order themes, prompting them to engage with a seemingly innocuous Microsoft Excel attachment. However, this document harbors malicious intent, exploiting a known remote code execution vulnerability in Microsoft Office—specifically, CVE-2017-0199, which has a CVSS score of 7.8. When activated, the malicious Excel file downloads an HTML Application (HTA) file named “cookienetbookinetcahce.hta” from a remote server located at “192.3.220[.]22,” utilizing the mshta.exe tool to execute it.

The targets of this campaign are individuals and organizations, particularly those operating within the business sector. While the specific geographical focus of the attack has not been disclosed, the nature of the phishing strategy suggests a broad targeting approach, consistent with trends in cybercrime that often extend globally.

In terms of tactics and techniques as outlined by the MITRE ATT&CK framework, this attack exemplifies several key adversarial strategies. The initial access is gained through the delivery of the phishing email, effectively leveraging social engineering to lure victims into opening the malicious attachment. Following this, persistence is established via the execution of the HTA file, which may allow the attackers to maintain a foothold within the compromised environment.

Privilege escalation might also be a concern, as the malware’s capabilities can enable the attackers to execute administrative commands remotely, depending on the level of access obtained. Furthermore, techniques associated with data exfiltration are likely employed once the threat actors establish control, allowing them to siphon off sensitive information unnoticed.

This evolving trend of phishing campaigns utilizing legitimate software vulnerabilities underscores the critical need for heightened vigilance among businesses. As cyber threats proliferate, understanding the tactics employed by adversaries is paramount for effective defense. Organizations are encouraged to review their cybersecurity protocols and ensure robust measures are in place to mitigate risks associated with such sophisticated attacks.

Source link

Related Posts

CERT-UA Discovers Malicious RDP Files in Recent Attack on Ukrainian Entities

Oct 26, 2024
Cyber Attack / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new malicious email campaign targeting government agencies, businesses, and military organizations. CERT-UA noted, “The emails leverage the allure of integrating popular services like Amazon or Microsoft while promoting a zero-trust architecture.” These messages include attachments that are Remote Desktop Protocol (‘.rdp’) configuration files. When executed, these RDP files connect to a remote server, allowing threat actors to access compromised systems, steal data, and deploy additional malware for subsequent attacks. The preparation for this infrastructure is believed to have started as early as August 2024, and the agency warns that the campaign may extend beyond Ukraine to other countries. CERT-UA has linked the campaign to a threat actor identified as UAC-0215. Amazon Web Services (AWS) also issued a related advisory…

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.