VERY IMPORTANT

A new phishing campaign has been discovered that delivers a fileless variant of the Remcos RAT. The attack begins with an email impersonating a Vietnamese shipping company, luring victims to open a malicious Word document. This document retrieves a remote RTF file, exploits a vulnerability, and executes VBScript and PowerShell code, resulting in the in-memory loading of a .NET module. The module acts as both a loader and persistence mechanism for the Remcos payload. The Remcos variant (version 7.0.4 Pro) is downloaded into memory and injected into a legitimate system process via process hollowing. It offers extensive remote control capabilities across six categories, including system management, surveillance, networking, communication, and agent control. The analysis details the infection chain, payload structure, and Remcos features, providing insights into this sophisticated attack methodology.