{"id":57651,"date":"2024-11-12T15:01:52","date_gmt":"2024-11-12T15:01:52","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36584\/Remcos-RAT-Now-Exploiting-Microsoft-Excel-Files.html"},"modified":"2024-11-12T15:01:52","modified_gmt":"2024-11-12T15:01:52","slug":"remcos-rat-now-exploiting-microsoft-excel-files","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/remcos-rat-now-exploiting-microsoft-excel-files\/","title":{"rendered":"Remcos RAT Now Exploiting Microsoft Excel Files"},"content":{"rendered":"
<\/div>\n

A new phishing campaign that exploits a high-severity bug from 2017 has been discovered in the wild spreading a new variant of the Remcos<\/a> remote access trojan (RAT), which was among the Top Ten malware strains of 2021.<\/p>\n

In a Nov. 8 blog post<\/a>, researchers from FortiGuard Labs said that the new RAT gets initiated by a phishing email that contains a malicious Excel document.<\/p>\n

Attackers then use the new RAT to leverage the old bug \u2013 CVE-2017-0199<\/a> \u2013 which exploits how Microsoft Office and WordPad parse specially-crafted files. Once the victim opens the attached Excel file, it lets attackers gain backdoor access to infected systems and then collect a variety of sensitive information.<\/p>\n

\u201cCVE-2017-0199 is exploited once the Excel file is opened on the victim\u2019s device,\u201d wrote the FortiGuard researchers. \u201cIt then downloads an HTA file and executes it on the device. Multiple script languages are leveraged to download an EXE file (dllhost.exe), which then starts the 32-bit PowerShell process to load the malicious code from extracted files and execute it in the PowerShell<\/a> process.\u201d<\/p>\n

Jason Soroko, senior fellow at Sectigo, explained that using an older vulnerability in a new campaign highlights that many systems remain unpatched. Soroko said the attackers are exploiting delayed patch management in organizations, exposing them to risks from known vulnerabilities.<\/p>\n

\u201cExploit kits and tutorials for CVE-2017-0199 are readily available on underground forums, lowering the barrier to entry,\u201d said Soroko. \u201cSince the attack relies on convincing users to open documents, attackers can exploit human vulnerabilities, which is often easier than bypassing technical safeguards.\u201d<\/p>\n

Darren Guccione, co-founder and CEO at Keeper Security, said in this campaign attackers use convincing purchase order emails to lure recipients into opening a malicious Excel attachment. Once opened, the file exploits this older remote code execution flaw, triggering malicious scripts that eventually launch Remcos RAT. With its use of anti-detection techniques, the malware can evade standard antivirus tools, making it difficult to stop.<\/p>\n

\u201cPreventing these attacks requires a combination of technical defenses and employee awareness,\u201d said Guccione. \u201cOrganizations should ensure Office applications are regularly updated, enable email filtering and provide training to help employees spot sophisticated phishing attempts. Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense.\u201d<\/p>\n

Tyler Hudak, director of incident response at Inversion6, pointed out that this Excel exploit was released in 2017 and does not affect Office programs after Microsoft Office 2016 and operating systems after Windows Vista and Windows Server 2012. Hudak said if the organization has a robust patching program or has since updated to a newer version of Office (including Microsoft365) or Windows, then this exploit will not affect them. However, if they have not, then this exploit could lead to compromised systems within an organization.<\/p>\n

Hudak identified several options that can assist organizations in preventing similar exploits in the future:<\/p>\n

\n