New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened it downloads and executes an HTA file which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and execute obfuscated code employing various anti-analysis techniques. The malware performs process hollowing to inject Remcos into a new process maintaining persistence through registry modifications. Remcos then communicates with its C2 server collecting system information and awaiting further commands. The RAT has extensive capabilities for remote control and data exfiltration from the victims device.