Cyber security researchers have discovered a new phishing campaign that distributes a new fileless variant of a known commercial malware called Remcos RAT.
The Remcos RAT “provides purchases with a broad set of advanced features for remote control of customer-owned computers,” said Fortinet FortiGuard Labs researcher Xiaopeng Zhang said in an analysis published last week.
“However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious activities.”
The starting point of the attack is a phishing email that uses purchase order-themed lures to convince recipients to open a Microsoft Excel attachment.
A malicious Excel document designed to exploit a known remote code execution flaw in Office (CVE-2017-0199CVSS score: 7.8) to download an HTML application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220(.)22”) and run it with mshta.exe.
The HTA file, for its part, is wrapped in multiple layers of JavaScript, Visual Basic Script, and PowerShell code to avoid detection. Its main task is to retrieve the executable file from the same server and execute it.
The binary then proceeds to run another obfuscated PowerShell program while applying a number of anti-analysis and anti-debugging techniques to make detection more difficult. In the next step, the malware uses the extraction process to finally download and run the Remcos RAT.
“Instead of saving the Remcos file to a local file and running it, it directly deploys Remcos in the memory of the current process,” Zhang said. “In other words, it’s a fileless version of Remcos.”
The Remcos RAT is equipped to collect various types of information from a compromised host, including system metadata, and can execute instructions issued by an attacker through a command and control (C2) server.
These commands allow the program to collect files, list and kill processes, manage system services, edit the Windows registry, execute commands and scripts, capture the contents of the clipboard, change the victim’s desktop wallpaper, enable the camera and microphone, download additional payloads, record the screen, and even disable keyboard or mouse input.
The disclosure comes after Wallarm revealed that the threat actors are there abusing the Docusign API to send fake invoices that look real to trick unsuspecting users and run massive phishing campaigns.
The attack involves creating a legitimate paid Docusign account, which allows attackers to modify templates and directly use the API. The accounts are then used to create custom invoice templates that mimic e-signature requests for documents from well-known brands such as Norton Antivirus.
“Unlike traditional phishing scams that rely on fraudulently crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate legitimate companies, catching users and security tools off guard,” the company said in a statement. . said.
“If users electronically sign this document, an attacker could use the signed document to request payment from an organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment.”
Phishing campaigns also use an unconventional tactic called ZIP concatenation to bypass security tools and distribute remote access Trojans to targets.
The method involves concatenating multiple ZIP archives into a single file, which creates security issues due to inconsistencies in how different programs such as 7-Zip, WinRAR, and Windows File Explorer unpack and analyze such files, leading to a scenario where a malicious the payload is ignored.
“By exploiting the different ways ZIP readers and archive managers handle compressed ZIP files, attackers can embed malware that specifically targets users of certain tools” – Perception Point noted in a recent report.
“Threat actors know that these tools often miss or ignore malicious content hidden in aggregated archives, allowing them to deliver their payloads undetected and target users who use special archive software.”
This development is also a threat known as Venture Wolf connected to phishing attacks targeting the Russian manufacturing, construction, IT and telecommunications sectors with MetaStealera fork of the RedLine Stealer malware.