Remcos is a Remote Entry Trojan (RET) that permits intruders to achieve unauthorized command over compromised computers.
This RET has been militarized and frequently utilized in unlawful cyber activities since its inception in 2016.
Recently, analysts at Trellix cautioned about weaponized Excel documents that were discovered disseminating stealthy Remcos RET.
Weaponized Excel Sheet
In this fresh malicious campaign, attackers were detected exploiting a crucial vulnerability in the handling of Object Linking and Embedding (OLE) objects in Microsoft Office and WordPad, which was assigned as “CVE-2017-0199.”
The assault commences with a phishing email carrying an encrypted Excel file that seems safeguarded, enticing user engagement.
Upon launching the file, it exploits CVE-2017-0199 to trigger embedded OLE objects by fetching a malicious HTA file from a URL (hxxps://slug.vercel.app/wyiqkf).
This HTA file then initiates PowerShell directives with base64-encoded parameters, aiding in retrieving a VBScript from “hxxp://45.90.89.50/100/instantflowercaseneedbeautygirlsherealways.gIF.”
The VBScript holds obscured data and when processed by PowerShell, triggers additional PowerShell operations.
These operations download a JPEG file (hxxp://servidorwindows.ddns.com.br/Files/vbs.jpeg) containing the ultimate payload.
The assault inserts a fileless variation of the Remcos RET into a legitimate Windows operation, reads the report.
In this assault, the attacker’s maneuvers exhibited their complex evasion strategies, as they primarily aimed at the subsequent sectors in Belgium, Japan, USA, South Korea, Canada, Germany, and Australia:-
- Government
- Production
- Information Technology
- Finance
It forms part of a trend comprising comparable attacks deploying malware like “RevengeRAT,” “SnakeKeylogger,” “GuLoader,” “AgentTesla,” and “FormBook.”
The multi-step strategy employs tactics such as T1221 (Template Infusion) and T1059.001 (Visual Basic Scripting) to circumvent security measures, underscoring the evolving intricacy of cyber threats that utilize apparently harmless documents to dispense potent malware payloads.
The assault starts with a JPEG file carrying an ingrained base64-encoded ‘dnlib.dll’, a free .NET library for assembly manipulation.
This dll is deciphered and directly loaded into memory via System.Reflection.Assembly, a .NET class facilitating runtime assembly tasks.
Subsequently, PowerShell retrieves a text file with base64-encoded data from a malevolent URL. This data is decoded and handled by the loaded dnlib.dll to produce an in-memory .NET assembly of Remcos RET.
The RET is then infused into the legitimate Windows operation ‘RegAsm.exe’ for execution, and this operation leaves minimal traces of Remcos-related activities.
Remcos establishes continuity through operation infusion, ensuring continued assailant access.
This intricate approach amalgamates vulnerability exploitation, memory-only .NET assemblies, and advanced evasion strategies, demonstrating the complexity of contemporary malware.
The article Beware Of Weaponized Excel Document That Delivers Fileless Remcos RET appeared first on Cyber Security News.