New Remcos RAT Activity Detection: Phishing Campaign Spreading a Novel Fileless Malware Variant

Cybersecurity researchers have identified an ongoing in-the-wild adversary campaign, which leverages a known RCE vulnerability in Microsoft Office tracked as CVE-2017-0199 exploited by a malicious Excel file used as a lure attachment in phishing emails. The phishing campaign is designed to distribute a new fileless version of the notorious Remcos RAT malware and take full remote control of a targeted system. 

Detect Remcos RAT

Phishing continues to be a leading attack vector, displaying a 58.2% rise in phishing attacks in 2023 compared to the previous year, underscoring the growing sophistication and reach of threat actors. The novel fileless version of Remcos RAT spread via phishing emails poses growing risks to Windows users by enabling adversaries to gain full remote control of a compromised device, steal sensitive data, and perform further offensive operations. SOC Prime Platform for collective cyber defense curates an entire collection of detection algorithms to help security teams proactively defend against phishing attacks leveraging Remcos RAT. 

Press Explore Detections to reach relevant detections mapped to MITRE ATT&CK®, explore tailored CTI for streamlined threat investigation, and convert the code in an automated fashion into 30+ supported SIEM, EDR, or Data Lake language formats in use. Apply the Light Search to query across 12,000+ tailored data labels within SOC Prime’s locally hosted cloud ensuring fully transparent, private access to data and ultra-fast speed for a streamlined search experience.

Explore Detections

Remcos RAT Analysis 

Fortinet’s FortiGuard Labs has recently uncovered a phishing campaign targeting Windows users and spreading a new fileless Remcos RAT malware iteration.

Remcos RAT is commercial malware, which offers buyers an array of advanced tools for remotely managing computers under their control. However, cybercriminals have exploited Remcos to steal sensitive information from victims and manipulate their systems for malicious purposes. Remcos RAT has also been leveraged in phishing campaigns by the russia-backed hacking group UAC-0050, primarily targeting Ukrainian state bodies. For instance, throughout September and October 2024, UAC-0050 conducted at least 30 attempts to breach accountants’ computers utilizing REMCOS malware.

The inflection flow is triggered by a phishing email containing an attached Microsoft Excel lure file masquerading as an order-related document. The latter exploits a known Microsoft Office RCE vulnerability in Office (CVE-2017-0199) to retrieve an HTA file named “cookienetbookinetcahce.hta” from a remote server. The HTA file is further executed on the compromised device using the Windows-native mshta.exe utility. Notably, the HTA file code is obfuscated through multiple layers using various scripting languages and encoding techniques, to evade detection and hinder anti-malware analysis.

The binary executes an obfuscated PowerShell script while employing anti-analysis and anti-debugging techniques to bypass detection. Adversaries employ a wide range of detection evasion techniques, like a vectored exception handler, dynamically obtained APIs, calculated constant values, and API hooking.  

Once the anti-analysis defenses are bypassed, the malware uses process hollowing to execute malicious code directly in memory, within a new process called “Vaccinerende.exe,” making new Remcos RAT a fileless variant. 

Remcos RAT gathers system metadata and executes commands received from its C2 server. These include stealing files, terminating processes, managing system services, modifying the Windows Registry, executing scripts, capturing clipboard data, accessing the camera and microphone, downloading payloads, recording the screen, and disabling keyboard or mouse input. The malicious code modifies the system registry to create a new auto-run entry, ensuring persistence and retaining control of the victim’s device even after a reboot.

The new fileless variant of Remcos RAT, combined with multiple detection evasion techniques, makes it more challenging for defenders to promptly identify the malicious activity. By relying on SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, security teams can gain access to cutting-edge solutions for proactive defense while building a robust cybersecurity posture for a secure tomorrow.