Organizations are currently facing a significant cybersecurity threat as malicious actors are weaponizing ordinary-looking shipping documents to distribute Remcos, a powerful remote access trojan (RAT). This sophisticated phishing campaign utilizes fake shipping emails as its entry point, deceiving unsuspecting users into opening compromised Word documents that appear to be legitimate cargo documentation. The attack chain initiates silently upon opening, compromising systems without any visible warning.
The malware delivers a commercial-grade remote access tool capable of seizing complete control over infected machines. The specific Remcos variant identified in this campaign represents an advanced and troubling development in attack sophistication. Unlike traditional malware that often leaves obvious traces, this version operates in a fileless manner. This means it executes entirely within system memory, avoiding the need to write suspicious files to disk, making detection considerably more challenging for security teams relying on conventional file-based threat detection methods.
Fortinet analysts identified the malware after observing the phishing emails being distributed in the wild. Security researchers documented how attackers meticulously crafted these shipping document emails, employing authentic-looking branding and reference numbers to maximize the likelihood of victims opening the attachments.
Once opened in Microsoft Word, the document triggers a series of exploits. It fetches a malicious template from a remote server, initiating an attack chain that culminates in the installation of Remcos on the target system. This exploit chain leverages a known, but still critical, vulnerability: CVE-2017-11882 in Microsoft’s Equation Editor. When the downloaded template file is processed, it contains specially crafted data designed to crash the Equation Editor in a controlled manner. This controlled crash allows attackers to execute arbitrary code with the same permissions as the Word application, providing a convenient launching point for the malware installation process.
Infection Chain and Persistence Mechanisms of Weaponized Shipping Documents
The method by which this malware achieves persistence demonstrates careful engineering by the threat actors. Following the initial exploitation, the attack downloads a Visual Basic Script. This script further downloads a .NET module, which is then loaded into a PowerShell process. Operating invisibly within the PowerShell process, the Remcos agent itself masquerades as a legitimate Windows utility file named colorcpl.exe. This allows it to blend seamlessly into normal system operations, further evading detection.
To ensure the malware survives system reboots, the threat actors utilize Windows Task Scheduler. They create scheduled tasks designed to relaunch the malware whenever the infected computer starts up, ensuring continuous access for the attackers. The overall threat vector of weaponized shipping documents is particularly concerning due to its reliance on social engineering and exploitation of common business communication methods.
The most concerning aspect of this campaign is the extensive range of capabilities the Remcos RAT provides once it is successfully installed on a victim’s system. Attackers can capture screenshots, record keystrokes, monitor microphone and camera input, and gain access to sensitive files stored on the infected machine. Furthermore, it can establish connections back to command-and-control servers, identified at the IP address 216.9.224.26 on port 51010. This allows attackers to issue remote commands and maintain control over the compromised systems.
To protect its communication with attackers, the malware employs Transport Layer Security (TLS) encryption. This encryption makes network-based detection of the malicious communications significantly more difficult. Organizations discovered with Remcos infections face the potential for complete system compromise, as attackers gain administrative-level remote control over their Windows infrastructure. The campaign specifically targets Windows users, posing a high-severity risk to any organization that has not implemented robust email security measures and user awareness training.
The ongoing distribution of these weaponized shipping documents indicates that this campaign is active and poses an immediate threat. Organizations are advised to review their email security filters, ensure all systems are patched, particularly for vulnerabilities affecting Microsoft Office applications, and to educate employees on the dangers of opening unsolicited attachments, especially those disguised as shipping or business-related documents. The continued evolution of such threats necessitates a proactive and multi-layered approach to cybersecurity.