Threat Research

New Remcos Campaign Distributed Through Fake Shipping Document

Fortinet
New Remcos Campaign Distributed Through Fake Shipping Document

FortiGuard Labs analyzed a phishing campaign that delivers a fileless variant of the Remcos RAT via a malicious Word document that downloads a crafted RTF exploiting CVE-2017-11882 to execute shellcode and launch VBScript and PowerShell loaders. The attack results in in-memory loading of a .NET module and process hollowing to deploy Remcos (version 7.0.4 Pro), with persistence via a scheduled task and C2 communications to 216.9.224.26:51010. #Remcos #CVE_2017_11882

Keypoints

  • A phishing email impersonating a Vietnamese shipping company delivers a malicious Word document that automatically downloads a remote RTF template.
  • The RTF contains malformed equation data that triggers CVE-2017-11882 in EQNEDT32.EXE, executing embedded shellcode to fetch and run a VBScript.
  • The VBScript launches Base64-encoded PowerShell which decodes and loads a .NET module hidden inside an image file via [Reflection.Assembly]::Load() into the PowerShell process.
  • The embedded .NET module installs persistence by creating a scheduled task and downloads a Base64/reversed Remcos payload into memory.
  • Remcos is deployed filelessly via process hollowing into a newly created colorcpl.exe process and communicates with C2 (216.9.224.26:51010) using an encrypted configuration and TLS certificates.
  • The Remcos variant (7.0.4 Pro) exposes extensive capabilities—system management, surveillance, network tools, communications, extra utilities, and agent control—via 211 command IDs.

MITRE Techniques

  • [T1566] Phishing – Brief description: The campaign begins with a phishing email that lures recipients to open a malicious Word attachment. (‘The captured phishing email, disguised as a message from a shipping company in Vietnam, lures the recipient to open an attached Word file to view an updated shipping document.’)
  • [T1203] Exploitation for Client Execution – Brief description: A crafted RTF triggers CVE-2017-11882 in the Microsoft Equation Editor to execute shellcode. (‘…triggers CVE-2017-11882, a known Remote Code Execution (RCE) vulnerability in the Microsoft Equation Editor (EQNEDT32.EXE).’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Brief description: PowerShell is used (Base64-encoded) to load a .NET module into memory and invoke its VAI() method. (‘powershell -NoProfile -WindowStyle Hidden -Command {Base64-decoded PowerShell code}’)
  • [T1059.005] Command and Scripting Interpreter: Visual Basic / VBScript – Brief description: A VBScript downloader/launcher contains Base64-encoded PowerShell and is executed to spawn the PowerShell payload. (‘The VBScript file is lightly obfuscated and contains a Base64-encoded PowerShell code.’)
  • [T1105] Ingress Tool Transfer – Brief description: Multiple files (RTF, VBScript, image with embedded .NET, Remcos payload) are downloaded from remote hosts during the chain. (‘The shellcode’s primary function is to download a VBScript file from a decrypted URL.’ / ‘The .NET module downloads the file and keeps it in memory… the file contains the Remcos agent payload.’)
  • [T1055.012] Process Injection: Process Hollowing – Brief description: The Remcos payload is injected into a newly created colorcpl.exe process using process hollowing to run filelessly. (‘deploys the Remcos payload into a newly created colorcpl.exe process using process hollowing.’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Brief description: The .NET module creates a scheduled task named “5V3EBWmhxc” to achieve persistence and repeatedly execute the downloaded VBS. (‘the .NET module creates a scheduled task (named “5V3EBWmhxc”) in the Windows Task Scheduler to maintain persistence’)
  • [T1620] Reflective Code Loading – Brief description: A .NET assembly is loaded directly into the PowerShell process via reflection ([Reflection.Assembly]::Load()) to execute in-memory. (‘After decoding, the code calls the [Reflection.Assembly]::Load() method to load the .NET module into the PowerShell’s process and invokes its VAI() method’)

Indicators of Compromise

  • [URL ] initial download and payload hosts – hxxp://66[.]179[.]94[.]117/157/w/w.doc, hxxps://idliya[.]com/arquivo_20251130221101.txt
  • [IP ] download host and C2 – 66[.]179[.]94[.]117 (RTF and VBE hosting), 216.9.224.26:51010 (Remcos C2)
  • [Domain ] URL shorteners and asset host – go-shorty[.]killcod3[.]com, idliya[.]com
  • [File Hash ] samples and payloads – Remcos payload: 94CA3BEEB0DFD3F02FE14DE2E6FB0D26E29BEB426AEE911422B08465AFBD2FAA, w.doc: A35DD25CD31E4A7CCA528DBFFF37B5CDBB4076AAC28B83FD4DA397027402BADD (and 2 more hashes)
  • [File Name ] artifacts observed in chain – w.doc (malicious RTF remote template), optimized_MSI.png (image containing Base64-encoded .NET module)

Read more: https://feeds.fortinet.com/~/940295429/0/fortinet/blog/threat-research~New-Remcos-Campaign-Distributed-Through-Fake-Shipping-Document