In recent developments, cybersecurity analysts have unearthed a novel phishing scheme distributing a fileless variant of the Remcos Remote Access Trojan (RAT), a commercially available malware suite often exploited by cybercriminals.
Remcos RAT, according to Fortinet FortiGuard Labs expert Xiaopeng Zhang, is engineered to offer purchasers a diverse arsenal of capabilities, granting them expansive remote command over target systems. Unfortunately, bad actors have manipulated this legitimate tool to clandestinely siphon sensitive data from unsuspecting users, all while remotely orchestrating malicious operations.
This campaign initiates with a phishing email strategically disguised to mimic a purchase order, effectively baiting recipients into opening a seemingly benign Microsoft Excel attachment. The compromised Excel file leverages a known remote code execution vulnerability in Microsoft Office (CVE-2017-0199, CVSS score: 7.8) to surreptitiously retrieve an HTML Application (HTA) file—dubbed “cookienetbookinetcahce.hta”—from a remote server address (“192.3.220[.]22”). This file is then executed via mshta.exe.
The HTA file itself is meticulously cloaked, shrouded in multiple layers of JavaScript, Visual Basic Script, and PowerShell code to escape detection. Its core function is to acquire and run an executable file from the same server.
Upon execution, this binary initiates an additional obfuscated PowerShell script, embedding various anti-detection and anti-debugging tactics to frustrate security analysts. Subsequently, the malicious script employs process hollowing, a technique that discreetly implants Remcos RAT into memory without ever storing it as a distinct file on the system.
“This variant does not save the Remcos file locally, opting instead to inject it directly into the memory space of the current process,” Zhang elaborated, highlighting the fileless nature of this particular Remcos strain.
Once activated, Remcos RAT proves capable of exfiltrating a range of data from the infected machine, including system metadata. Additionally, it facilitates remote directives from a command-and-control (C2) server, enabling its operators to pilfer files, terminate or enumerate processes, modify system services, manipulate the Windows Registry, and execute various scripts or commands. The RAT can even capture clipboard contents, alter desktop settings, activate the victim’s camera or microphone, deploy additional malware payloads, record screen activity, and, if needed, disable keyboard and mouse input.
This revelation coincides with findings from Wallarm, which noted that cybercriminals are exploiting DocuSign APIs to dispatch fake invoices that carry an aura of legitimacy, targeting unsuspecting users on a broader scale.
This sophisticated attack methodology involves the establishment of an authentic DocuSign account, enabling malefactors to customize templates and directly harness the API. With these accounts, they create fraudulent invoice templates under the guise of reputable brands, such as Norton Antivirus, tricking recipients into believing the communication is genuine.
“Contrary to traditional phishing tactics that rely on deceptive emails and malicious URLs, these incidents make use of verified DocuSign accounts and templates to masquerade as well-established firms, thereby slipping past both users and security defenses,” the company stated.
When users proceed to electronically sign these documents, attackers can utilize the signed files to seek payment from the target entity outside DocuSign’s framework or, alternatively, transmit the signed document through DocuSign to the organization’s finance department as a payment request.
Meanwhile, other phishing campaigns have also surfaced, utilizing an unconventional ZIP file concatenation technique to evade security mechanisms and disseminate remote access trojans to targets. This approach fuses multiple ZIP archives into a single file, exploiting inconsistencies in how different programs—like 7-Zip, WinRAR, and Windows File Explorer—interpret and unpack these files. This discrepancy can inadvertently permit the delivery of malicious payloads.
“Through exploiting variances in how ZIP readers and archival tools process concatenated ZIP files, attackers embed malware that targets users of specific applications,” Perception Point outlined in a recent disclosure.
These cyber assailants recognize that certain tools may overlook or fail to detect concealed malware within concatenated archives, thus facilitating undetected payload delivery for specific software users.
Furthermore, a threat entity identified as “Venture Wolf” has been linked to a series of phishing attacks targeting Russian sectors in manufacturing, construction, information technology, and telecommunications, deploying MetaStealer—a fork of the infamous RedLine Stealer malware.