Hacking

New Fileless Phishing Attack Deploys Remcos RAT for Remote Control

Published  ·  3 min read
Updated on November 11, 2024

Cybersecurity researchers have recently uncovered a phishing campaign spreading a new, fileless variant of the well-known commercial malware Remcos RAT.

Fortinet FortiGuard Labs researcher Xiaopeng Zhang explained, “Remcos RAT provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer.” However, as he pointed out, “Threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts.”

The attack begins with a phishing email designed to look like a purchase order. This email lures recipients into opening a malicious Microsoft Excel attachment. The Excel file takes advantage of a known vulnerability in Office (CVE-2017-0199, CVSS score: 7.8) to initiate the download of an HTML Application (HTA) file named “cookienetbookinetcahce.hta” from a remote server at “192.3.220[.]22,” launching it with mshta.exe.

This HTA file is deeply layered with JavaScript, Visual Basic Script, and PowerShell code to avoid detection. Its role is to pull an executable file from the same server and run it. This executable then launches another PowerShell script and applies anti-analysis and anti-debugging techniques to evade detection. Finally, the malware uses process hollowing to download and run Remcos RAT.

According to Zhang, “Rather than saving the Remcos file into a local file and running it, it directly deploys Remcos in the current process’s memory.” This tactic makes it a fileless variant of Remcos.

Once installed, Remcos RAT is capable of harvesting extensive information from the infected system, such as system metadata, and can execute commands remotely sent by the attacker through a command-and-control (C2) server. This can include actions like accessing files, managing processes, altering Windows Registry entries, enabling the camera or microphone, recording the screen, and even disabling keyboard or mouse input.

The discovery coincides with a report by Wallarm on cybercriminals misusing Docusign APIs to send fake invoices that look legitimate. By using paid Docusign accounts, attackers can create templates mimicking well-known brands like Norton Antivirus. “Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm noted.

If a user signs these documents, the attacker can exploit it to request payments outside of DocuSign or send signed documents to finance departments for processing, potentially leading to financial losses.

Phishing campaigns are also exploring a tactic called ZIP file concatenation, allowing them to bypass security tools and deliver malware such as remote access trojans. This technique combines multiple ZIP archives into a single file, a strategy that takes advantage of how different programs like 7-Zip, WinRAR, and Windows File Explorer handle ZIP files.

Perception Point emphasized the security risks, stating, “By exploiting the different ways ZIP readers and archive managers process concatenated ZIP files, attackers can embed malware that specifically targets users of certain tools.” This method lets threat actors deliver malicious content to users using certain archive managers, leaving other programs unable to detect the threats.

In another development, a threat actor known as Venture Wolf has been identified using phishing attacks on Russian industries such as manufacturing, construction, IT, and telecommunications. The attacks deploy MetaStealer, a variant of the RedLine Stealer malware, further underscoring the continuous evolution and persistence of phishing tactics.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067