<ul><li>Fortinet researchers discovered a new phishing campaign spreading a variant of the commercial malware Remcos RAT.</li><li>The phishing messages contain a malicious Excel document disguised as an order file to trick the recipient into opening the document. Upon opening the file, the RCE vulnerability CVE-2017-0199 is exploited.</li><li>The HTA file is wrapped in multiple layers using different script languages and encoding methods to evade detection.</li><li>The malicious code downloads an encrypted Remcos RAT file from a remote server, executes it as a fileless version directly into memory, allowing attackers to remotely control the infected system.</li></ul>

A new fileless variant of Remcos RAT observed in the wild

Discover more