Excel users need to watch out as a newly discovered phishing campaign is targeting Microsoft’s spreadsheet application.
The campaign spreads a new fileless version of a dangerous remote access Trojan, and is spread via a Microsoft 365 (formerly Microsoft Office) vulnerability—and is currently under active exploitation.
Always at the front line,Fortinent’s Fortiguard Labs uncoveredthe phishing campaign targeting Excel users.
The attack uses an email phishing lure disguised as a shipping purchase order with a malicious Microsoft Excel spreadsheet attached. Once the spreadsheet is downloaded and opened, it exploits a remote code execution vulnerability (CVE-2017-0199) to download an HTML application.
Once downloaded, the HTML app executes and attempts to download another file—the actual Remcos malware. Now, Remcos is a relatively well-known remote access Trojan that can deliver an attacker a direct line into an infected computer. It’s one of a number of dangerous malware types available for purchase as a neat package on underground hacking forums.
However, this time around, researcher Xiaopeng Zhang found a fileless Remcos RAT variant that operates with the infected system’s memory, enabling it to remain undetected by antimalware tools. It also adds a specific auto-run system registry to “maintain persistence and maintain control of the victim’s device when restarted”—another example of persistent malware.
The Remcos RAT operator can use keyloggers and screen recording tools to capture private information, audio, and other data. The stolen data is then encrypted and sent back to the operator, where it can be exploited.
Update Microsoft 365 and Your Computer to Stay Safe
Unfortunately, the research doesn’t indicate the specific versions of Microsoft Excel affected by this vulnerability. While theCVE-2017-0199note indicates older versions of Excel and Office in its “Known Affected Software Configurations,” that section hasn’t been updated since the discovery of this phishing campaign.
So, where in doubt, update Microsoft 365 and your operating system, and where possible, upgrade to the latest Microsoft 365 version for maximum security.
