Cybersecurity researchers have uncovered a new fileless malware loader, dubbed PSLoramyra, which uses a sophisticated technique to evade detection. This advanced malware utilizes PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, executing them directly in memory. By loading its payload entirely into memory, PSLoramyra leaves minimal traces on the infected system, making it difficult to detect using traditional antivirus methods. The infection chain begins with an initial PowerShell script that generates three files (roox.ps1, roox.bat, roox.vbs) to execute the malicious payload.
The malware's persistence mechanism is particularly noteworthy. PSLoramyra establishes persistence by creating a Windows Task Scheduler task that runs the roox.vbs script every two minutes. This ensures the malware continues to operate even after a system reboot. The script leverages the Reflection.Assembly.Load method to load the main payload into memory, and then uses RegSvcs.exe to execute it. Analysis by ANY.RUN reveals that in one instance, the payload was the Quasar RAT (Remote Access Trojan). This allows attackers to remotely control the compromised system, exfiltrate data, and potentially perform further malicious actions.
The use of PowerShell, VBS, and BAT scripts, combined with the fileless nature of the malware and its reliance on the Task Scheduler for persistence, makes PSLoramyra a particularly insidious threat. Researchers are urging users to be vigilant and employ robust security measures, including up-to-date antivirus software and regular system scans, to protect against this and similar advanced malware threats. The ANY.RUN sandbox provided valuable insights into PSLoramyra's behavior and infection process, highlighting the importance of such tools in malware analysis and threat detection.