Threat Research

New Campaign Leverages Remcos RAT to Target Victims

Fortinet

FortiGuard Labs uncovered a high-severity phishing campaign using a malicious Excel file that exploits CVE-2017-0199 to download and execute an HTA, ultimately delivering a fileless variant of the Remcos RAT that runs in memory and gives attackers full remote control. The campaign uses multi-stage loaders, heavy obfuscation, process hollowing, and registry persistence to evade analysis and survive reboots. #Remcos #CVE-2017-0199

Keypoints

  • Phishing emails carry a malicious Excel attachment that contains a crafted OLE object and short URL to trigger the exploit.
  • The Excel file exploits CVE-2017-0199 to download and execute an HTA via mshta.exe, initiating the multi-stage loader.
  • Loader stages use multiple scripting languages (JS, VBScript, PowerShell, Base64/URL encoding) to fetch dllhost.exe and execute obfuscated code.
  • The attack uses advanced anti-analysis techniques (vectored exception handlers, API hashing/hooking, ZwSetInformationThread checks) to detect and evade debuggers.
  • Process hollowing and in-memory deployment result in a fileless Remcos variant that communicates with a C2 (107[.]173[.]4[.]16:2404) and exposes many remote-control features.
  • Fortinet’s FortiGuard services (AntiSpam, Web Filtering, IPS, Antivirus, CDR) detect and block multiple stages of the campaign.

MITRE Techniques

  • [T1566] Phishing – Deceptive emails are used to deliver the malicious Excel attachment (‘Utilizes deceptive emails to trick users into opening malicious attachments.’)
  • [T1203] Exploitation for Client Execution – CVE-2017-0199 is exploited in Office/WordPad parsing to execute code and download an HTA (‘Exploits vulnerabilities in software to execute code remotely.’)
  • [T1071] Application Layer Protocol – Remcos communicates with its C2 using network channels and configured C2 IP/port (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
  • [T1547] Boot or Logon Autostart Execution – The malware adds an autorun registry entry to persist across reboots (‘Modifies the system registry to maintain access across reboots.’)
  • [T1027] Obfuscated Files or Information – Multiple encodings and layered scripting (Base64, URL-encoding, PowerShell obfuscation) are used to evade detection (‘Uses various encoding and obfuscation techniques to evade detection.’)
  • [T1093] Process Hollowing – The loader performs process hollowing into Vaccinerende.exe to execute payload code covertly (‘Injects malicious code into a legitimate process to execute it covertly.’)

Indicators of Compromise

  • [URLs] download and loader locations – hxxps://og1[.]in/2Rxzb3, hxxp://192[.]3[.]220[.]22/430/dllhost.exe, and 2 more URLs
  • [IP addresses] download and C2 infrastructure – 192[.]3[.]220[.]22, 107[.]173[.]4[.]16
  • [C2 server] command-and-control endpoint – 107[.]173[.]4[.]16:2404 (used by Remcos for encrypted communications)
  • [File hashes] samples identified – 4A670E3D4B8481CED88C74458FEC448A0FE40064AB2B1B00A289AB504015E944 (PO-9987689987.xls), 24A4EBF1DE71F332F38DE69BAF2DA3019A87D45129411AD4F7D3EA48F506119D (Remcos), and 4 more hashes
  • [File names] dropped/executed artifacts – PO-9987689987.xls, dllhost.exe (copied/renamed to Vaccinerende.exe)

————
Fortinet’s FortiGuard Labs analyzed a phishing campaign that begins with a seemingly innocuous Excel attachment. The document contains a crafted OLE object that triggers CVE-2017-0199 when opened, causing Excel to follow a short URL that redirects to an HTA payload. That HTA, executed via mshta.exe, uses layered scripting (JavaScript, VBScript, PowerShell with Base64/URL encoding) to download a staged executable (dllhost.exe) and launch a 32-bit PowerShell process that loads and runs obfuscated malicious code.

The loader extracts multiple supporting files into %AppData%, then uses PowerShell to deploy and self-decrypt code in memory. The attack employs many anti-analysis techniques—vectored exception handlers, dynamic API resolution with name hashing, API hooking and checks (ZwSetInformationThread, ZwQueryInformationProcess), and debugger-detection via debug registers—to thwart analysts. After passing those checks it performs process hollowing into a spawned Vaccinerende.exe process and keeps a fileless Remcos instance running in memory, initialized by an encrypted settings block that includes its C2 (107[.]173[.]4[.]16:2404) and enabled features like keylogging, screenshots, and remote command execution.

Fortinet notes that customers are protected through FortiGuard Web Filtering (labels the URLs malicious), FortiMail (detects the phishing email), FortiGuard IPS (signatures for the CVE-2017-0199 exploit), FortiGuard Antivirus (signatures for the Excel, HTA, loader and Remcos artifacts), and CDR to disarm embedded objects. Administrators should ensure signatures and protections are up to date, block the listed URLs/IPs, and educate users to avoid opening unexpected attachments. Read more: https://feeds.fortinet.com/~/907586438/0/fortinet/blog/threat-research~New-Campaign-Uses-Remcos-RAT-to-Exploit-Victims

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint