Full Report
FortiGuard Labs analyzes a phishing campaign delivering a fileless Remcos RAT via malicious Word templates, CVE-2017-11882 exploitation, and in-memory execution.
Analysis Summary
# Tool/Technique: Remcos RAT (Fileless Execution Variant)
## Overview
This summary details a malicious campaign using a fileless variant of the Remcos Remote Access Trojan (RAT). The attack leverages a phishing lure (fake shipping document), exploits a legacy Microsoft Office vulnerability (**CVE-2017-11882**), and relies on in-memory execution via VBScript, PowerShell, and process hollowing to deploy the final payload.
## Technical Details
- Type: Malware Family (RAT) / Delivery Technique
- Platform: Microsoft Windows
- Capabilities: Remote system control, surveillance (monitoring), network management, agent management, remote code execution.
- First Seen: Campaign related to this specific chain analyzed January 2026 (based on article date).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1055.012 - Process Hollowing
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0004 - Privilege Escalation**
- T1127 - Trusted Developer Utilities (Implied via exploitation chain)
## Functionality
### Core Capabilities
Remcos RAT provides operators with:
1. **Remote Control:** Full remote control over the victim’s computer.
2. **Surveillance:** Remote monitoring capabilities (details unspecified beyond general categorization).
3. **System Management:** Ability to manage system resources.
### Advanced Features
1. **Fileless Delivery:** Execution relies heavily on in-memory stages (VBScript, PowerShell) avoiding persistent executable files initially.
2. **Exploit Chain:** Leverages **CVE-2017-11882** in the Microsoft Equation Editor (`EQNEDT32.EXE`) via a malformed RTF file embedded within a remote Word template to gain arbitrary code execution.
3. **Payload Staging:** Shellcode is used to download and execute a VBScript payload.
4. **PowerShell Abuse:** PowerShell is used to load and execute a fileless .NET module in-memory.
5. **Process Injection:** The final Remcos agent is loaded using **Process Hollowing**.
## Indicators of Compromise
- File Hashes:
- **[BL DRAFT ITL13746259.docx] (Word file):** `7798059D678BCA13EEEEBB44A8DB3588E4AA287701AEDE94B094B18F33B58F84`
- **w.doc (RTF file):** `A35DD25CD31E4A7CCA528DBFFF37B5CDBB4076AAC28B83FD4DA397027402BADD`
- **VBScript file:** `E915CE8F7271902FA7D270717A5C08E57014528F19C92266F7B192793D40972F`
- **Remcos payload (SHA-256):** `94CA3BEEB0DFD3F02FE14DE2E6FB0D26E29BEB426AEE911422B08465AFBD2FAA`
- File Names: `w.doc` (the downloaded RTF).
- Registry Keys: Not specified.
- Network Indicators:
- Template download URL shortener: `hxxps://go-shorty[.]killcod3[.]com/OkkxCrq`
- Template download URL shortener: `hxxps://tnvs[.]de/e4gUVc`
- Initial RTF/VBScript download server: `hxxp://66[.]179[.]94[.]117/157/w/w.doc`
- VBScript download URL: `hxxp://66[.]179[.]94[.]117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe`
- Subsequent payload/data URLs: `hxxps://idliya[.]com/assets/optimized_MSI.png`, `hxxps://idliya[.]com/arquivo_20251130221101.txt`
- Behavioral Indicators:
- Word document using an `online attachedTemplate` in `settings.xml.rels` file.
- Execution within `EQNEDT32.EXE` process parsing malformed equation data (`\bin`).
- Use of `URLDownloadToFileW()` via shellcode.
- Subsequent execution of VBScript, followed by PowerShell utilizing reflection to load a fileless .NET module.
- Initiation of Process Hollowing to load the final Remcos agent.
## Associated Threat Actors
The article does not explicitly name a specific threat actor group, but notes that Remcos is a commercial RAT often available on the black market, potentially used by various cybercriminal entities.
## Detection Methods
- **Signature-based detection:**
- `XML/Agent.EDC!tr.dldr`
- `MSOffice/CVE_2017_11882.DMP!exploit`
- `W32/Rescoms.B!tr` (Remcos specific)
- **Behavioral detection:** Monitoring for Microsoft Office applications triggering shellcode extraction and execution, especially related to the Equation Editor component, and subsequent use of VBScript/PowerShell for fileless download/execution.
## Mitigation Strategies
- **Patching:** Fully patch Microsoft Office to address **CVE-2017-11882** (though known to be legacy, it remains effective in unpatched environments).
- **Email Security:** Utilize email security gateways (like FortiMail) configured to detect and quarantine malicious attachments or block known malicious URLs/templates.
- **Endpoint Protection:** Deploy comprehensive Endpoint Detection and Response (EDR) solutions capable of detecting fileless execution techniques like PowerShell abuse and process hollowing.
- **User Training:** Conduct security awareness training (e.g., NSE 1) to educate end-users on recognizing and avoiding phishing attempts, particularly those related to urgent shipping documents.
## Related Tools/Techniques
- **Remcos RAT:** A sophisticated commercial Remote Access Tool.
- **CVE-2017-11882:** Microsoft Equation Editor Remote Code Execution Vulnerability.
- **VBScript and PowerShell:** Used as living-off-the-land binaries (LOLBins) for executing subsequent stages.
- **Process Hollowing:** Used for loading the final Remcos agent while evading detection.