A revamped Remcos RAT campaign is targeting Windows users via phishing emails exploiting a 2017 Microsoft Office vulnerability (CVE-2017-0199) — with a payload wrapped in five layers of obfuscation across JavaScript, VBScript, PowerShell, Base64, and C++, plus anti-debugging techniques that produce a fileless, in-memory infection. HN45 also covers attackers abusing ZIP concatenation — appending multiple archives into a single file — to hide SmokeLoader trojan payloads that evade detection in 7-Zip and bypass file extension-based security checks entirely.
Stories Covered
Revamped Remcos RAT: Fileless Execution and Five-Layer Obfuscation Against Unpatched Office
Fortinet researcher Xiao Peng Zhang documented a new Remcos RAT campaign targeting Windows users through phishing emails disguised as business order confirmations with attached Excel files. The attack chain exploits CVE-2017-0199 — a remote code execution vulnerability in how unpatched Microsoft Office and WordPad parse files — to download and execute the malware payload. The key word is “unpatched”: this CVE is from 2017 and has had a patch available for years. The campaign continues to be effective precisely because a significant fraction of deployed Office installations are never updated.
The new Remcos variant is engineered specifically to defeat analysis. The payload is wrapped in multiple layers using JavaScript, VBScript, Base64, PowerShell (32-bit only), and C++ — each layer serving both obfuscation and evasion purposes. It installs a vectored exception handler, calls system APIs in deliberately inconsistent, non-fingerprint-able patterns, and uses ZwSetInformationThread with the ThreadHideFromDebugger flag to detect and immediately exit if a debugger attaches. The malware also hooks API calls to simulate benign instructions before jumping to the real execution path, causing detection tools and sandboxes to crash or time out. The final stage is fileless: the encrypted Remcos RAT payload is downloaded and executed directly in memory — no file written to disk, significantly limiting forensic recovery options.
Keeper Security CEO Darren Guccioni’s observation in the article is the right framing: you can deploy the most sophisticated endpoint detection stack available, but if users click phishing attachments, the attacker has a foothold. Social engineering remains the cheapest and most reliable initial access vector. Zero-days are expensive and require technical sophistication; getting a user to open an Excel file that promises to confirm their shipment requires none of that. The defense is patch management (CVE-2017-0199 is trivially avoided by updating Office) and user training — if you receive a file attachment you weren’t expecting, don’t open it before confirming with the sender through a separate channel.
ZIP Concatenation: SmokeLoader Hidden in Archives That 7-Zip Can’t See
Perception Point researchers documented a phishing campaign delivering a SmokeLoader trojan variant by exploiting structural inconsistencies in how different ZIP archive readers process concatenated files — multiple ZIP archives appended into a single file, each with its own central directory. The attack works because the three most common ZIP tools (7-Zip, Windows File Explorer, and WinRAR) handle concatenated archives differently. 7-Zip reads only the first archive and may display a warning about “data after end of archive” that users routinely dismiss or never see. Windows File Explorer may fail to open the file entirely, or if renamed with a .rar extension, displays only the malicious second archive. WinRAR reads the second central directory and exposes the hidden payload. The attackers delivered the file disguised as a shipping document with a .rar extension — which is actually a concatenated ZIP — exploiting trust in the extension while hiding the SmokeLoader executable inside the second archive that only some readers expose.
SmokeLoader is a loader/downloader trojan — its job is not to steal data directly but to establish persistence and pull down additional payloads, which may include banking trojans, ransomware, or other commodity malware. What makes this delivery mechanism notable is that the same file produces different behavior depending on which tool the victim uses to open it: a security analyst using 7-Zip might see only a benign-looking PDF and conclude the attachment is clean, while the Windows File Explorer user sees the malicious executable. This creates a class of files that partially evade analysis tools not through any exploit in the tools, but through structural ambiguity in how ZIP concatenation is defined (or undefined) in the format spec.
Perception Point contacted the 7-Zip developers about the behavior. The response was that it’s intentional functionality, not a bug, and is unlikely to change. File extension-based detection is separately unreliable here — renaming a file to change its extension is trivial on every major OS, and extension-based assumptions in security tooling are a known weak point. The practical takeaway: treat all unsolicited archive attachments as untrusted regardless of what tool you use to inspect them, and verify with the sender through a separate channel before opening. If you are deploying security tooling that relies on archive scanning, ensure it reads all central directories in concatenated ZIP files, not just the first.
Leave a Reply