Excel Exploit Used to Deploy Fileless Remcos RAT

A new phishing campaign has been exposed involving a fileless variant of the Remcos RAT malware, which is being spread via an exploit in Microsoft Excel. Cybersecurity experts at Fortinet recently highlighted the methods used by the attackers.

The attack begins with a phishing email disguised as a purchase order, enticing recipients to open a booby-trapped Excel document. This document exploits a known remote code execution vulnerability in Microsoft Office (CVE-2017-0199), which has a high severity CVSS score of 7.8. Once activated, the exploit downloads an HTML Application (HTA) file named “cookienetbookinetcahce.hta” from a remote server (IP: 192.3.220[.]22) and runs it via mshta.exe.

The downloaded HTA file, cloaked in layers of JavaScript, Visual Basic Script, and PowerShell, functions as a launchpad for further malware retrieval, undetected by security tools. It pulls an executable for an obfuscated PowerShell program, which uses anti-analysis techniques to resist examination. The payload ultimately injects and runs the Remcos RAT directly in memory, making it fileless.

Remcos (Remote Control and Surveillance) RAT (Remote Access Trojan) is a powerful tool for information harvesting. It allows attackers to collect data like system metadata and execute various commands through a command-and-control (C2) server. Potential actions include file exfiltration, process manipulation, Windows Registry editing, system service management, clipboard monitoring, and webcam or microphone control. It can also deploy other payloads, record screens, and disable user input.

The discovery of this campaign also comes alongside another report from Wallarm, which warns that threat actors are misusing Docusign APIs for phishing scams involving fake invoices. By creating legitimate Docusign accounts, attackers can craft invoice templates impersonating well-known companies, tricking recipients into signing documents and authorizing payments under false pretenses.