New Remcos Campaign Distributed Through Fake Shipping Document

FortiGuard Labs analyzed a phishing campaign distributing a fileless Remcos remote access trojan: a malicious Word document loads a remote RTF that exploits CVE-2017-11882 to run shellcode which downloads and executes a VBScript that launches Base64-encoded PowerShell; the PowerShell loads a disguised .NET module in memory that installs persistence and retrieves a reversed/Base64 Remcos payload, which is injected into a system process via process hollowing. The report includes detailed TTPs, packet and configuration analysis, C2 details (216.9.224.26:51010), URLs, and SHA-256 indicators, and documents Fortinet detections and mitigations.