Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign Excel file that exploits CVE-2017-0199.

By exploiting this vulnerability in Microsoft Office, attackers are able to embed malicious code within the file using OLE objects. 

It utilizes encryption and obfuscation techniques to conceal the malicious payload. Upon opening the file, the victim’s system executes a fileless variant of the Remcos RAT, granting attackers remote access and control. 

The malware campaign leverages the CVE-2017-0199 vulnerability to deliver a Remcos RAT via a phishing email containing an encrypted Excel file.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The attack chain involves OLE object exploitation, HTA application execution, and PowerShell commands to inject the RAT into a legitimate process, which has been exploited by various malware families, including LATENTBOT, FINSPY, and WingBird/FinFisher. 

oletools confirming that the excel file is encrypted

Recent campaigns in 2024 deploying RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook have targeted Government, Manufacturing, Technology/IT, and Banking sectors, primarily in Belgium, Japan, the United States, South Korea, Canada, Germany, and Australia.

It leverages a spearphishing attachment to entice victims into opening a deceptive Excel document, which exploits a vulnerability (CVE-2017-0199) to execute embedded OLE objects, which contain a malicious URL. 

This URL initiates a connection to a malicious server, downloading and executing a weaponized HTA file, ultimately compromising the victim’s system.

Embedded OLE object containing malicious URL

The Excel file exploits CVE-2017-0199 to deliver a malicious HTA application, which in turn executes a PowerShell script that downloads and runs a VBScript from a remote URL, which contains obfuscated data that is decoded and executed by PowerShell, initiating a chain of PowerShell processes to escalate the attack. 

While the final process downloads a JPEG file containing a base64-encoded ‘dnlib.dll’ library, which is decoded and loaded into memory for further malicious activity by leveraging various techniques to evade detection and achieve persistence in the target environment.

Downloaded JPEG file

The attack begins with PowerShell downloading a base64-encoded text file from a malicious URL and then processed by ‘dnlib.dll’ to create a .NET assembly of Remcos RAT, which is subsequently injected into the legitimate process ‘RegAsm’. 

According to Trellix, Remcos RAT then establishes persistence by injecting itself into other legitimate processes, evading traditional security defenses. 

IOC associated to Remcos RAT

Indicators of Remcos RAT presence include its keylogger file and associated IOCs, which utilize the MITRE ATT&CK techniques T1055.001, T1027, T1543.003, and T1071.001.

Attackers used a combination of advanced techniques to create a persistent threat by leveraging a vulnerability (CVE-2017-0199) in Microsoft Office to execute malicious code. 

It then downloaded additional tools like OLE objects, memory-only .NET assemblies, and scripts (.hta, vbs.txt) from compromised servers, which likely helped the attackers maintain persistence on the infected system and potentially steal data.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago