The Remcos RAT is a commercial remote administration tool abused by threat actors for malicious purposes, which is delivered via phishing emails containing malicious Excel attachments.
Once opened, the Excel file triggers a macro that downloads and executes the Remcos payload, which employs anti-analysis techniques to evade detection and establishes persistence on the victim’s device.
It offers advanced features for remote control, enabling attackers to steal sensitive information and perform various malicious activities.
A malicious Excel document exploits the CVE-2017-0199 vulnerability to execute code remotely. Upon opening, the document triggers the download and execution of an HTA file.
This file, encoded in multiple layers of scripting languages, ultimately downloads and executes a malicious EXE file by leveraging DCOM components to bypass security measures and gain unauthorized access to the victim’s system.
The downloaded DLLHost.exe extracts malicious files to %AppData% and launches a 32-bit PowerShell process, which reads obfuscated PowerShell code from an extracted file, “Aerognosy.Res.”
The code copies itself to %temp%, hides the PowerShell process, loads malicious code from “Valvulate.Cru,” allocates memory, copies the malicious code into it, and finally executes it using the CallWindowProcA API.
It employs sophisticated anti-analysis techniques to evade detection and hinder analysis and uses exception handling to control execution flow, dynamically retrieves API addresses, and implements API hooking to bypass breakpoints.
It also employs process hollowing to inject itself into a legitimate process, further obscuring its malicious activity, which makes it challenging to analyze and understand the full extent of its capabilities and malicious intent.
The malicious code ‘Vaccinerende.exe’ employs sophisticated techniques to evade detection and compromise systems, which establishes persistence by adding a registry entry, downloads and decrypts the Remcos malware payload, and injects it into its own process memory for stealthy execution.
Remcos, once activated, gathers system information, including hardware specifications, user privileges, and network details, and then communicates with a C&C server to register the infected device and receive further instructions, potentially enabling remote control and data exfiltration.
By receiving control commands from a command and control server, the sophisticated remote access trojan is able to carry out malicious operations on devices that have been infected.
These commands enable various functionalities, including gathering system information like running processes, capturing screenshots, keylogging, file management, and executing arbitrary commands.
Upon receiving a specific command, Remcos parses the data and carries out the corresponding action on the compromised system, allowing attackers to maintain persistent control and exfiltrate sensitive data.
According to FortiNet, the phishing campaign leverages a malicious Excel document to exploit the CVE-2017-0199 vulnerability, leading to the execution of an HTA file, which in turn downloads and executes a DLL host process. The malicious code evades detection through various anti-analysis techniques, including API hooking and process hollowing.
It then injects the Remcos payload into a legitimate process, establishing persistence on the victim’s device, which communicates with its C&C server, exfiltrating sensitive data and executing malicious commands, posing a significant security threat.
