Ethical Hacking News
A new phishing campaign exploits a known remote code execution flaw in Microsoft Office to spread fileless variants of the notorious Remcos RAT malware. The attack leverages purchase order-themed lures to trick recipients into opening malicious Excel attachments, highlighting the ongoing evolution of sophisticated cybersecurity threats.
A sophisticated phishing campaign uses a known remote code execution flaw in Microsoft Office to spread fileless variants of the Remcos RAT.The attack utilizes purchase order-themed lures and exploits CVE-2017-0199 vulnerability with a CVSS score of 7.8.The malicious code evades detection by traditional security tools through layers of JavaScript, Visual Basic Script, and PowerShell code.A "fileless variant" of Remcos RAT is used, where malware retrieves executable files from a remote server without saving itself locally on disk.Threat actors impersonate reputable companies using modified Docusign templates to execute phishing attacks at scale.A ZIP file concatenation technique is exploited to bypass security tools by varying how different programs unpack concatenated files.A threat actor known as Venture Wolf targets Russian manufacturing, construction, IT, and telecommunications sectors with MetaStealer malware.
The cybersecurity landscape continues to evolve, and recent discoveries have shed light on a sophisticated phishing campaign that leverages a known remote code execution flaw in Microsoft Office to spread fileless variants of the notorious commercial malware, Remcos RAT. This attack utilizes a familiar vector – purchase order-themed lures – to trick recipients into opening malicious Excel attachments. The attack's starting point is a phishing email designed to exploit the CVE-2017-0199 vulnerability, which has been reported to have a CVSS score of 7.8. This indicates that the vulnerability is considered high-severity and potentially exploitable by threat actors.
Upon opening the attachment, users are prompted to download an HTML Application (HTA) file called "cookienetbookinetcahce.hta" from a remote server located at "192.3.220[.]22". The HTA file is wrapped in multiple layers of JavaScript, Visual Basic Script, and PowerShell code, which collectively aim to evade detection by traditional security tools. Its primary objective is to retrieve an executable file from the same server and execute it within the current process's memory.
This approach represents a "fileless variant" of Remcos RAT, as opposed to traditional malware that saves itself locally on disk before deployment. The malicious code uses various anti-analysis and anti-debugging techniques in an attempt to complicate detection efforts by security researchers and analysts.
Furthermore, the exploit is linked to another threat actor known for abusing Docusign APIs to send fake invoices that deceive unsuspecting users. In this instance, attackers create legitimate paid Docusign accounts with modified templates mirroring requests from well-known brands like Norton Antivirus. This tactic allows them to impersonate reputable companies and execute phishing attacks at scale.
Another unconventional phishing campaign utilizes ZIP file concatenation – a method where multiple ZIP archives are appended into a single file. Threat actors exploit the discrepancy in how different programs, including 7-Zip, WinRAR, and Windows File Explorer, unpack and parse such concatenated files to bypass security tools. This technique enables malicious payloads to be overlooked by detection systems.
The development also highlights a threat actor known as Venture Wolf linked to phishing attacks targeting Russian manufacturing, construction, IT, and telecommunications sectors with MetaStealer, a fork of the RedLine Stealer malware.
Recent discoveries illustrate the persistent evolution of cybersecurity threats, underscoring the need for vigilance in detecting and mitigating attacks. As the threat landscape continues to shift, it is crucial that users remain cautious when interacting with emails, attachments, and external services, and that security researchers continue to investigate and expose vulnerabilities to better arm defenders against these evolving threats.
Related Information:
https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html
https://nvd.nist.gov/vuln/detail/CVE-2017-0199
https://www.cvedetails.com/cve/CVE-2017-0199/
https://flare.io/learn/resources/blog/redline-stealer-malware/
https://nordvpn.com/blog/redline-stealer-malware/
Published: Mon Nov 11 01:14:30 2024 by llama3.2 3B Q4_K_M
