A new phishing campaign that exploits a high-severity bug from 2017 has been discovered in the wild spreading a new variant of the Remcos remote access trojan (RAT), which was among the Top Ten malware strains of 2021.
In a Nov. 8 blog post, researchers from FortiGuard Labs said that the new RAT gets initiated by a phishing email that contains a malicious Excel document.
Attackers then use the new RAT to leverage the old bug – CVE-2017-0199 – which exploits how Microsoft Office and WordPad parse specially-crafted files. Once the victim opens the attached Excel file, it lets attackers gain backdoor access to infected systems and then collect a variety of sensitive information.
“CVE-2017-0199 is exploited once the Excel file is opened on the victim’s device,” wrote the FortiGuard researchers. “It then downloads an HTA file and executes it on the device. Multiple script languages are leveraged to download an EXE file (dllhost.exe), which then starts the 32-bit PowerShell process to load the malicious code from extracted files and execute it in the PowerShell process.”
Jason Soroko, senior fellow at Sectigo, explained that using an older vulnerability in a new campaign highlights that many systems remain unpatched. Soroko said the attackers are exploiting delayed patch management in organizations, exposing them to risks from known vulnerabilities.
“Exploit kits and tutorials for CVE-2017-0199 are readily available on underground forums, lowering the barrier to entry,” said Soroko. “Since the attack relies on convincing users to open documents, attackers can exploit human vulnerabilities, which is often easier than bypassing technical safeguards.”
Darren Guccione, co-founder and CEO at Keeper Security, said in this campaign attackers use convincing purchase order emails to lure recipients into opening a malicious Excel attachment. Once opened, the file exploits this older remote code execution flaw, triggering malicious scripts that eventually launch Remcos RAT. With its use of anti-detection techniques, the malware can evade standard antivirus tools, making it difficult to stop.
“Preventing these attacks requires a combination of technical defenses and employee awareness,” said Guccione. “Organizations should ensure Office applications are regularly updated, enable email filtering and provide training to help employees spot sophisticated phishing attempts. Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense.”
Tyler Hudak, director of incident response at Inversion6, pointed out that this Excel exploit was released in 2017 and does not affect Office programs after Microsoft Office 2016 and operating systems after Windows Vista and Windows Server 2012. Hudak said if the organization has a robust patching program or has since updated to a newer version of Office (including Microsoft365) or Windows, then this exploit will not affect them. However, if they have not, then this exploit could lead to compromised systems within an organization.
Hudak identified several options that can assist organizations in preventing similar exploits in the future:
- Ensure that the organization has a program that deploys security patches to both operating systems and programs (like Office) in a timely manner.
- Set-up email security software and systems that examine and block incoming attachments for suspicious or malicious code.
- Monitor activity on systems and networks. This attack works by exploiting the vulnerability to download an HTA file, which then executes additional malicious code. Organizations should monitor for Excel accessing the network and downloading HTA files, or Excel executing additional programs, and respond appropriately.
- Limit use of older systems. Many industries, such as manufacturing and healthcare, have difficulty in upgrading software and may have vulnerable systems within their environment. These systems should be segmented from other networks in an organization and their use restricted to prevent Internet/email access from them.
