← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New Campaign Uses Remcos RAT to Exploit Victims
WHITE eric.ford 2024-11-08 Modified: 2024-12-08
15
IOCs
MEDIUM VOLUME
A phishing campaign using Excel attachments is delivering a new variant of the Remcos RAT. The Excel attachment with an embedded OLE object exploits the remote code execution vulnerability CVE-2017-0199 affecting Microsoft Office and WordPad to download an HTA file. The HTA file downloads an executable, which downloads several files, one of which downloads Remcos RAT.
remcos
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Remcos
Indicators of Compromise (15)
All CVE FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2017-0199 2024-11-08
FileHash-SHA256 24a4ebf1de71f332f38de69baf2da3019a87d45129411ad4f7d3ea48f506119d 2024-11-08
FileHash-SHA256 4a670e3d4b8481ced88c74458fec448a0fe40064ab2b1b00a289ab504015e944 2024-11-08
FileHash-SHA256 9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be 2024-11-08
FileHash-SHA256 d4d98fdbe306d61986bed62340744554e0a288c5a804ed5c924f66885cbf3514 2024-11-08
FileHash-SHA256 f99757c98007da241258ae12ec0fd5083f0475a993ca6309811263aad17d4661 2024-11-08
FileHash-SHA256 f9b744d0223efe3c01c94d526881a95523c2f5e457f03774dd1d661944e60852 2024-11-08
URL http://107.173.4.16:2404 2024-11-08
URL http://192.3.220.22/430/dllhost.exe 4e11fd9ebcd710646c1c685691837f3e2d4983e9232279ece12a6db9be569ba1 2024-11-08
URL http://192.3.220.22/430/dllhost.xn--exe-9o0a 2024-11-08
URL http://192.3.220.22/hFXELFSwRHRwqbE214.bin 0f81b5c2a976afdc87df88b780a439deda77708dc9ef74cd726962013d79031f 2024-11-08
URL http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta 2024-11-08
URL http://192.3.220.22/xampp/en/cookienetbookinetcahce.xn--hta-9o0a. 2024-11-08
URL https://og1.in/2Rxzb3 2024-11-08
URL https://og1.in/2Rxzb3.xn--ivg 2024-11-08
References (1)
↗ https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims