Be careful if you use Excel. So Remcos RAT can compromise everything

A new insidious cyber attack is compromising numerous computers around the world, exploiting a vulnerability in Microsoft Office that has long been identified and reported: to bring to light the true person responsible …

Be careful if you use Excel. So Remcos RAT can compromise everything


A new insidious cyber attack is compromising numerous computers around the world, exploiting a vulnerability in Microsoft Office that has long been identified and reported: to bring to light the true person responsible for the infections carried by Excel they are the experts of Fortinet, an American company specialized in the development of cybersecurity software, devices and services.

The basis of this massive phishing campaign is the use by hackers of a more recent variant of the already well-known commercial malware “Remcos RAT” which, unlike previous versions, does not require the creation of new files on the hard disk of the victim’s personal computer.

As often happens in this type of cyberattack, everything starts with the sending of an email message which in this case should contain the received of an order placed online: the objective, given the global spread of e-commerce, is to find the right person to download the attached document, which is obviously infected.

Once this step has been carried out, the game is done: exploiting a vulnerability of Office which allows the execution of unauthorized code, Excel is forced to download an HTA document, “HTML Application”, from a remote server. This, which disguises itself behind a series of scripts so as not to be easily detected by antivirus software, in turn downloads a second file from another server. This series of linked steps continues, given that the new executable just downloaded, also in this case well disguised to deceive the IT defense systems installed on the PC, starts a PowerShell script: exploiting the “process hollowing” (also known as runPE), used to hide a malicious payload within a legitimate process running on Windows, it is finally possible to download and run Remcos RAT. As mentioned, this version of the malware does not install on the hard disk but rather directly in the memory of the designated process.

Thanks to Remcos RAT, cybercriminals have a wide range of operations at their disposal that they can carry out on the infected system: for example, it is possible to steal files and confidential information, including the contents of the clipboard, modify or interrupt running processes, and launch a series of commands given by external servers, such as activating video cameras or microphones, recording the operations made by the victim on the screen and keeping mouse and keyboard inputs under control.

The only way to try to protect yourself from threats of this kind is to never download attachments of dubious origin, but to be honest, cybercriminals are now

are evolving to make it increasingly difficult to identify possible scams: to make fake invoices more credible, for example, they usually use profiles DocuSign absolutely regular.