Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT

    Thursday, September 12, 2024 In: Threat Research Print

    Date: 09/12/2024

    Severity: Critical

    Summary

    "Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT" delves into a complex cyberattack that uses Excel files to deliver the Fileless Remcos Remote Access Trojan (RAT). This sophisticated attack bypasses traditional detection methods by embedding malicious code in Excel spreadsheets, which can execute without being detected as a file. The Remcos RAT then grants attackers covert control over the victim's system, allowing for espionage and data theft without traditional file-based indicators.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://45.90.89.50/100/instantflowercaseneedbeautygirlsherealways.gIF

    https://host.colocrossing.com

    http://45.90.89.50/xampp/ien/INET.hta

    https://slug.vercel.app/wyiqkf

    http://45.90.89.50/100/JNN.txt

    http://geoplugin.net/json.gp

    http://servidorwindows.ddns.com.br/Files/vbs.jpeg

    IPAddress

    178.237.33.50

    76.76.21.164

    45.90.89.50

    76.76.21.93

    76.76.21.22

    192.3.176.174

    Hash

    42e59390d88ec14ab5a14873cce70344

62069dcfee1598a0df9d8caed54566f7

e522d386b90054af950c456a9c108fd9

b45300468d82291d84ff009c8974c3f2

accdfe7a24bcb621a1dade4ab39eddb2

f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "http://45.90.89.50/100/instantflowercaseneedbeautygirlsherealways.gIF" or url like "http://45.90.89.50/100/instantflowercaseneedbeautygirlsherealways.gIF" or userdomainname like "https://host.colocrossing.com" or url like "https://host.colocrossing.com" or userdomainname like "http://45.90.89.50/xampp/ien/INET.hta" or url like "http://45.90.89.50/xampp/ien/INET.hta" or userdomainname like "https://slug.vercel.app/wyiqkf" or url like "https://slug.vercel.app/wyiqkf" or userdomainname like "http://45.90.89.50/100/JNN.txt" or url like "http://45.90.89.50/100/JNN.txt" or userdomainname like "http://geoplugin.net/json.gp" or url like "http://geoplugin.net/json.gp" or userdomainname like "http://servidorwindows.ddns.com.br/Files/vbs.jpeg" or url like "http://servidorwindows.ddns.com.br/Files/vbs.jpeg"

    IPAddress

    dstipaddress IN ("178.237.33.50","76.76.21.164","45.90.89.50","76.76.21.93","76.76.21.22","192.3.176.174") or ipaddress IN ("178.237.33.50","76.76.21.164","45.90.89.50","76.76.21.93","76.76.21.22","192.3.176.174") or publicipaddress IN ("178.237.33.50","76.76.21.164","45.90.89.50","76.76.21.93","76.76.21.22","192.3.176.174") or srcipaddress IN ("178.237.33.50","76.76.21.164","45.90.89.50","76.76.21.93","76.76.21.22","192.3.176.174")

    Hash

    md5hash IN ("42e59390d88ec14ab5a14873cce70344","62069dcfee1598a0df9d8caed54566f7","e522d386b90054af950c456a9c108fd9","b45300468d82291d84ff009c8974c3f2","accdfe7a24bcb621a1dade4ab39eddb2")

    Hash

    Sha256hash IN ("f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46")

    Reference: 

    https://www.trellix.com/blogs/research/unmasking-the-hidden-threat-inside-a-sophisticated-excel-based-attack-delivering-fileless-remcos-rat/


    Tags

    PhishingExploitationRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.