PowerShell-Based Loader Deploys Remcos RAT in Innovative Fileless Attack

A recent analysis by the Qualys Threat Research Unit (TRU) has identified a sophisticated, fileless malware campaign utilizing PowerShell to deploy the Remcos Remote Access Trojan (RAT). This attack vector effectively circumvents conventional antivirus measures as it operates solely in memory, leaving minimal detectable traces on disk.

The attack approach initiates with a ZIP file containing a malicious LNK file that masquerades as a legitimate document. When executed, this fake document invokes MSHTA.exe to run an obfuscated Visual Basic script, triggering several critical actions, such as:

– Bypassing Windows Defender.
– Modifying registry settings to ensure persistence.
– Dropping various payloads into the user’s public directory.

Among the payloads is a heavily obscured PowerShell script named 24.ps1, which constructs a shellcode loader and executes a 32-bit version of Remcos RAT directly in memory via Win32 API calls.

Advanced Memory Injection and Evasion Techniques

The deployment of Remcos is facilitated through custom shellcode that navigates the Process Environment Block (PEB) to dynamically resolve API addresses. This sophisticated method enhances evasion tactics, enabling the malware to avoid detection from static analysis tools by refraining from hardcoded imports.

Once operational, Remcos establishes a secure TLS connection to its command-and-control (C2) server, identified as readystaurants[.]com, maintaining a persistent channel for data exfiltration and command execution.

The malware possesses various modules designed for executing commands, keylogging, capturing webcam feeds, and stealing clipboard contents. It leverages User Account Control (UAC) bypass methods, employs process hollowing techniques into svchost.exe, and utilizes anti-debugging strategies to hinder further analysis.

Features of Remcos Version 6.0.0 Pro

The latest iteration of Remcos presents enhancements that improve its overall effectiveness:

– Group view functionality for managing infected hosts.
– Unique user identifiers (UIDs) for each instance.
– Display of privilege levels.
– Visibility of public IP addresses.
– Enhanced idle-time tracking capabilities.

Configuration settings, encrypted within the binary, encompass server addresses, operational parameters, and keylogging preferences. It notably records keystrokes and browser activity, specifically targeting files such as logins.json and key3.db.

Qualys emphasizes, “Remcos RAT exemplifies a stealthy, PowerShell-based malware that employs advanced evasion techniques to evade detection. Its operational modality in memory complicates identification by traditional security measures. This incident underscores the necessity of vigilant monitoring of LNK files, MSHTA misuse, alterations to the registry, and unusual PowerShell activities.”

To fortify defenses against such threats, it is recommended to implement comprehensive PowerShell logging, proactive AMSI monitoring, and robust Endpoint Detection and Response (EDR) solutions. Early detection remains pivotal in mitigating threats posed by sophisticated malware like Remcos.