New Remcos Phishing Campaign Uses CVE-2017-11882 RTF
🛡️ FortiGuard Labs uncovered a phishing campaign that delivers a fileless Remcos RAT via a malicious Word document which loads a remote RTF exploiting CVE-2017-11882. The exploit executes shellcode to fetch a VBScript that launches a Base64 PowerShell loader. That PowerShell downloads an image with an embedded .NET module, which the loader runs in memory to install persistence and inject the Remcos payload into a legitimate process using process hollowing.
