Remcos RAT Abuses Office Vulnerabilities to Target Businesses

According to Fortinet, the Remcos Remote Administration Tool (RAT) has been around since the second half of 2016. Its author, a person going by the nickname Viotto, has set up a website through which he advertises his creation. It has a Terms of Use page saying that Remcos should not be used for malicious purposes. In much the same way, when wealthy individuals buy a powerful sports car, they're probably told that they shouldn't exceed the speed limit. Yet, they do.

There's a free version with limited functionality, but there's no shortage of cybercriminals willing to splash out between $60 and $390 for the bells-and-whistles Remcos RAT. Over the last few months, researchers have witnessed more than a few campaigns delivering it, though it must be said that none of them has been particularly big. The one Cyren analyzed recently doesn't seem especially huge, either, but it is interesting nonetheless.

Apparently, it's aimed at businesses rather than individual users. The researchers said that they've seen victims all over the world, but noted that most of the affected organizations are from Asia, Russia, and the Middle East. The infection chain starts with an email which is crafted to look like it's coming from affiliates or employees working for a well-known pharmaceutical company. There is an attachment which poses as an invoice or a statement. So, from a social engineering standpoint, the threat actors have done everything they can to maximize their chances of a successful infection. From here on, they rely on victims not paying too much attention to what they're opening and a couple of MS Office vulnerabilities.

When they open the attachment, the victims see a blank page and a warning that says "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?" If the victim clicks Yes, they'll trigger the exploit of CVE-2017-0199.

CVE-2017-0199 is a vulnerability which grabbed quite a few headlines back in April when it was publicly disclosed for the first time. It involves embedded OLE2 objects that make an HTTP connection through the MS Word process to a remote website and download malicious files.

In the case of the current Remcos campaign, the downloaded file is another Word document pulled from a server at 23.92.211[.]215. The same IP, it would appear, has been used to host all manner of malicious files. The second Word document contains hidden text that exploits another vulnerability known as CVE-2017-8759.

This time, MS Office's SOAP WSDL parser is at the bottom of the flow. The MS Word contacts the same server and executes some .Net code hidden inside a PNG file. The code drops and installs an executable inside %WinDir%\temp which, in turn, downloads the actual Remcos RAT and writes it to %LocalAppData%\avast.exe.

It's a complicated, multi-stage infection chain that's been designed to hit victims with what is certainly a pretty potent RAT.

To give us an insight into what Remcos can do, Cyren's researchers included a few screenshots to the tool's free version. From them, we can see that Remcos comes with some analysis evasion tools, process injection capabilities, a keylogger, as well as screenshot grabbing and audio recording functionality.

Cyren's experts dug a bit deeper and found out that the samples they've captured contact a C&C server at infocolornido.publicvm[.]com. Again, the same server has been used by other malware families in the past.

There's no information on how much damage the Remcos RAT's operators have caused with the current campaign. It must be said that considering the complicated infection chain, they're probably not playing around.

The fact of the matter is, however, that their attack can be mitigated easily. Both CVE-2017-0199 and CVE-2017-8759 were patched by Microsoft. Without the vulnerabilities, the Remcos RAT won't be deployed, and the infection will grind to a halt quickly. So, big and small businesses all around the world, get those updates installed if you haven't already.