Emerging Remcos RAT Targets Microsoft Users: Full Device Takeover Threat

November 11, 2024

Windows users are under threat from a newly malicious version of the Remcos remote admin tool. This tool is being used in a persistent campaign that exploits a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad. The Remcos remote access tool has been modified maliciously by threat actors, who have embedded its malware code in multiple script languages, including JavaScript, VBScript, and PowerShell. This is done to evade detection and enable full control over Microsoft Windows devices.

Fortinet researcher Xiaopeng Zhang has issued a warning to Microsoft Windows users about an ongoing campaign using this malicious version of Remcos RAT. The campaign exploits a known RCE vulnerability that occurs when unpatched Microsoft Office and WordPad instances parse files. The attack chain begins with a phishing email designed to trick users into clicking an Excel file disguised as a business order. Once the file is opened, it exploits the bug (CVE-2017-0199) and downloads the malware payload.

Zhang explains, "Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis." Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. The malware then runs a piece of heavily obfuscated PowerShell code that only works on the 32-bit PowerShell process.

The malware employs sophisticated evasion techniques to avoid analysis. This includes installing a vectored exception handler and using system APIs in a hard-to-track manner. It also uses a tool called "ZwSetInformationThread()" to check for a debugger. Zhang further explains, "The malicious code calls API ZwSetInformationThread() with the argument ThreadHideFromDebugger (0x11) and the current thread (0xFFFFFFFE). This mechanism in Windows can conceal a thread’s existence from debuggers. If a debugger is attached to the current process, it exits immediately once the API is called."

The malware uses an API hooking technique to further evade detection. It simulates executing multiple API instructions and then jumps to the API to execute the rest of the instructions. If any detection conditions are triggered, the current process (PowerShell.exe) can become unresponsive, crash, or exit unexpectedly.

The threat actors download an encrypted file with the malicious version of Remcos RAT that is run in the current process's memory, making this latest variant fileless. Zhang adds, "Remcos collects some basic information from the victim's device. It then encrypts and sends the collected data to its C2 server to register that the victim's device is online and ready to be controlled."

Darren Guccione, CEO and founder of Keeper Security, emphasizes that low-tech phishing and social engineering are among the most dangerous enterprise cybersecurity threats. He states, "Preventing these attacks requires a combination of technical defenses and employee awareness. Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense."

Stephen Kowski, field CTO for SlashNext Email Security+, suggests a multi-faceted approach to protection. He advises, "Protection requires a multi-faceted approach: keeping Microsoft Office fully patched, implementing advanced email security to detect and block malicious attachments in real time, and deploying modern endpoint security to identify suspicious PowerShell behaviors. Most critically, since this attack relies on social engineering through phishing emails, organizations should ensure their employees receive regular security awareness training focused on identifying suspicious attachments and purchasing order-themed lures."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.