• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Security
  • A new fileless variant of Remcos RAT observed in the wild

A new fileless variant of Remcos RAT observed in the wild

Pierluigi Paganini November 11, 2024

Fortinet researchers discovered a new phishing campaign spreading a variant of the commercial malware Remcos RAT.

Fortinet’s FortiGuard Labs recently uncovered a phishing campaign spreading a new variant of the Remcos RAT.

Remcos is a commercial remote administration tool (RAT) that is sold online to allow buyers remote control over computers. Threat actors use Remcos to steal sensitive information and control victims’ computers for malicious activities.

The phishing messages contain a malicious Excel document disguised as an order file to trick the recipient into opening the document. Upon opening the file, the RCE vulnerability CVE-2017-0199 is exploited.

Remcos RAT phishing

Since 2017, threat actors leveraged weaponized Rich Text File (RTF) documents exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.

Once the CVE-2017-0199 is exploited, it downloads an HTA file and executes it on the recipient’s device.

In this attack, MS Excel program accesses a shortened URL that redirects to a specific IP address, downloading an HTA (HTML Application) file. This file, executed by the Windows application mshta.exe via Excel’s DCOM components, initiates the attack chain.

The researchers noticed that the HTA file is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, in an attempt to evade detection.

The downloaded HTA file executed by mshta.exe runs PowerShell code to download a malicious EXE file, dllhost.exe, onto the victim’s device. Once executed, dllhost.exe extracts files into the %AppData% folder, then runs PowerShell to load and execute hidden malicious code. This PowerShell script reads and executes content from an extracted file, Aerognosy.Res, which invokes further commands. Obfuscated PowerShell code then copies dllhost.exe to %temp%, renames it to Vaccinerende.exe, hides the PowerShell process, loads malicious code in memory, and runs it using API calls like VirtualAlloc() and CallWindowProcA().

“The malicious code performs process hollowing to put itself into a newly created Vaccinerende.exe process (copied from dllhost.exe). To do this, it calls the API CreateProcessInternalW() with CreatFlags of CREATE_SUSPENDED (0x4), which will suspend the new process after it is created. It then calls some related APIs to transfer all the malicious code to the new process and run it.” reads the analysis published by Fortinet.

The malicious code uses process hollowing to stealthily download and execute the final payload, the Remcos RAT, granting attackers remote control over the infected system.

The malicious code maintains persistence by adding a new auto-run item to the system registry.

The malicious code downloads an encrypted Remcos RAT file from a remote server, using APIs such as InternetOpenA(), InternetOpenUrlA(), and InternetReadFile() to facilitate the download. After decryption, it loads a fileless version of the Remcos RAT directly into memory within the current process (Vaccinerende.exe). The RAT is then activated on a new thread by calling the undocumented API NtCreateThreadEx(), allowing it to run covertly without leaving a trace on disk.

Remcos RAT allows operators to gather multiple data from infected devices, including system metadata, and execute remote commands. The malware supports multiple commands to carry out malicious activities such as file harvesting, process and service management, registry editing, script execution, clipboard capture, altering the desktop, activating the camera and microphone, downloading more payloads, screen recording, and disabling keyboard or mouse input.

Fortinet’s report also includes Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)


facebook linkedin twitter

you might also like

Pierluigi Paganini July 06, 2025
Hunters International ransomware gang shuts down and offers free decryption keys to all victims
Read more
Pierluigi Paganini July 06, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

    Malware / July 05, 2025

    Critical Sudo bugs expose major Linux distros to local Root exploits

    Security / July 04, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT