New Campaign Uses Remcos RAT to Exploit Victims

Fortinet FortiGuard Labs documents a phishing campaign that weaponizes an Excel file exploiting CVE-2017-0199 to download an HTA and a downloader (dllhost.exe) which uses obfuscated PowerShell, process hollowing and in-memory deployment to execute a fileless variant of the Remcos RAT; the report details anti-analysis techniques, persistence, Remcos configuration and C2 protocol, and provides URLs, C2 IP:port, and SHA-256 sample hashes along with Fortinet detection guidance.