Summary Points
- Phishing emails impersonate company employees to deliver malicious XLS files exploiting CVE-2017-0199, leading to remote code execution via OLE object vulnerabilities.
- Attackers leverage steganography within PNG images to covertly embed payloads, facilitating stealthy delivery of malware such as the Remcos RAT.
- The malware gains persistence and control by downloading and executing stage payloads like the Remcos RAT, enabling keylogging, data theft, and system manipulation.
Threat Overview, Attack Techniques, and Targets
Recently, the AhnLab Security Intelligence Center (ASEC) found a phishing campaign. The emails pretend to be payment confirmation notices from a specific Korean company. These emails trick recipients into opening a malicious XLS file attached to the email. The file appears to be a real payment slip. Once opened, it uses a known vulnerability, CVE-2017-0199, to run malicious code. This vulnerability exploits Microsoft Office’s OLE objects, allowing remote code execution. The malware downloads a malicious HTA file from a command and control (C2) server. After downloading, the HTA executes a PowerShell script that hides in the background. The script collects system information and downloads malware called Remcos RAT. Targets are users who receive these fake payment emails and open the attachments.
Impact, Security Implications, and Remediation Guidance
This attack can lead to severe consequences. The malware can steal sensitive data, log keystrokes, take screenshots, and manipulate files. It uses embedded steganography in images to hide malicious code, making detection harder. The Remcos RAT allows hackers to control infected systems remotely. This increases the risk of data loss, espionage, and system compromise. To protect against this threat, verify sender email addresses and check links carefully before clicking. Avoid opening suspicious attachments or files with risky extensions like .exe or .js. Always confirm that web pages are secured (HTTPS) before entering sensitive information. For detailed remediation steps, consult your vendor or cybersecurity authority.
Discover More Technology Insights
Learn how the Internet of Things (IoT) is transforming everyday life.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
