Revamped Remcos RAT Deployed Against Microsoft Windows Users

  /     /     /  
Publicated : 23/11/2024   Category : security


Revamped Remcos RAT Deployed Against Microsoft Windows Users


Windows users are at risk for full device takeover by an emerging malicious version of the Remcos remote admin tool, which is being used in an ongoing campaign exploiting a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad.



Threat actors have given the commercially available Remcos remote access tool a new malicious makeover, wrapping its malware code in several layers of varying script languages, including JavaScript, VBScript, and PowerShell, to avoid detection and analysis and achieve full takeover of Microsoft Windows devices.
New findings from Fortinet researcher Xiaopeng Zhang warn Microsoft Windows users about a new campaign using this new-and-improved version of
Remcos RAT
that exploits a known remote code execution (RCE) vulnerability arising from how unpatched Microsoft Office and WordPad instances parse files.
The attack chain starts with a phishing email intended to lure users into clicking an Excel file disguised as a business order, according to the report. Once the file is activated it exploits the bug (CVE-2017-0199) and downloads the malware payload.
Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis, according to the researcher. Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Some of the key data are hidden in these files.
From there, the host runs a piece of heavily obfuscated PowerShell code that, importantly, works only on the 32-bit PowerShell process, the
report
added.
Next, the malware runs self-decryption code hidden beneath a rats nest (pun intended) of unnecessary code to avoid analysis. But that isnt the only sophisticated evasion technique utilized by the latest version of
malicious Remcos RAT
. According to the report, the campaign throws up several analysis road blocks throughout the attack chain, including installing a vectored exception handler, and gaining and calling system APIs in an inconsistent, hard to track way. It also uses a tool called ZwSetInformationThread() to check for a debugger, the report added.
The malicious code calls API ZwSetInformationThread() with the argument ThreadHideFromDebugger (0x11) and the current thread (0xFFFFFFFE). This mechanism in Windows can conceal a thread’s existence from debuggers, explained Zhang. If a debugger is attached to the current process, it exits immediately once the API is called.
The malware further uses an API hooking technique to avoid detection.
The malicious code simulates executing multiple API instructions (say, two instructions) at the beginning and then jumps to the API to execute the rest of the instructions (beginning with the 3rd instruction), according to the report. Whenever any ... detection conditions are triggered, the current process (PowerShell.exe) can become unresponsive, crash, or exit unexpectedly.
Once ready, the threat actors download an encrypted file with the malicious version of
Remcos RAT
that is run in current processs memory, effectively making this latest variant fileless, the report pointed out.
Remcos collects some basic information from the victims device, Zhang added. It then encrypts and sends the collected data to its C2 server to register that the victims device is online and ready to be controlled.
Anti-analysis and tricky obfuscation techniques aside, Darren Guccione, CEO and founder of Keeper Security, noted in an emailed statement that low-tech phishing and social engineering that remain among the very most dangerous enterprise cybersecurity threats.
Preventing these attacks requires a combination of technical defenses and employee awareness, he wrote. Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense.
Robust endpoint security should also be a priority to defend against these types of attacks, as well as a basic patch management strategy, according to a statement from Stephen Kowski, field CTO for SlashNext Email Security+.
Protection requires a multi-faceted approach: keeping Microsoft Office fully patched, implementing advanced email security to detect and block malicious attachments in real time, and deploying modern endpoint security to identify suspicious PowerShell behaviors, Kowski commented. Most critically, since this attack relies on social engineering through phishing emails, organizations should ensure their employees receive regular security awareness training focused on identifying suspicious attachments and purchasing order-themed lures.
Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 am ET.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Revamped Remcos RAT Deployed Against Microsoft Windows Users