Fortinet’s FortiGuard Labs has uncovered a sophisticated phishing campaign distributing a new variant of the Remcos Remote Access Trojan (RAT). The campaign begins with a phishing email containing a malicious Excel document designed to exploit vulnerabilities and deliver the Remcos malware onto victims’ devices.
Remcos is a commercial remote administration tool (RAT) readily available for purchase, offering features intended for legitimate remote management of computers. However, it has become a powerful tool in the hands of cybercriminals, who misuse it to access sensitive information, control victim devices, and execute further malicious activities. This latest campaign showcases Remcos’s evolving tactics in evading detection and analysis.
The phishing email, masquerading as an order confirmation, lures recipients into opening the attached Excel document. Upon opening, it exploits a known vulnerability (CVE-2017-0199) in Microsoft Office applications, allowing the document to download and execute an HTA (HTML Application) file in the background. This file initiates the infection process, layering multiple scripting languages like JavaScript, VBScript, and PowerShell to evade traditional security checks.
The Remcos RAT variant employs extensive obfuscation and anti-analysis techniques to prevent detection. Layers of encoded scripts execute commands that download and run additional malicious files. Once initiated, the malware can detect the presence of debuggers, dynamically retrieve system APIs, and conceal malicious processes to avoid exposure. It even hides its traces by using Windows-native commands to operate discreetly in the system’s PowerShell.
Infected devices exhibit persistence through registry modifications, enabling the malware to remain active even after the system reboots. Additionally, this variant runs filelessly, meaning it operates solely in memory rather than saving itself as a conventional file. By calling undocumented APIs, it injects itself into a process named “Vaccinerende.exe,” from which it can download, decrypt, and deploy further malicious components directly into memory.
This campaign highlights the growing risk of remote administration tools like Remcos when misused by attackers. The combination of sophisticated phishing tactics, fileless execution, and anti-analysis methods makes this a particularly potent cyber threat. As this variant of Remcos evades detection and hides in system memory, Fortinet advises organizations to enhance email security filters and keep systems patched to defend against similar exploits.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.