CyberSecurity news
FlagThis - #FilelessMalware
|
@blog.qualys.com
//
A new fileless malware campaign is deploying the Remcos RAT (Remote Access Trojan) using a PowerShell-based shellcode loader, highlighting the evolving tactics of cybercriminals. The attack begins with malicious LNK files embedded within ZIP archives, often disguised as legitimate Office documents to entice users into opening them. Upon execution, the attack chain leverages mshta.exe, a legitimate Microsoft tool, for proxy execution, allowing it to bypass traditional antivirus and endpoint defenses by running HTML Applications (HTA).
The mshta.exe then executes an obfuscated HTA file hosted on a remote server, which contains Visual Basic Script code designed to download a PowerShell script, a decoy PDF file, and another HTA file. Critically, the HTA file also configures Windows Registry modifications to ensure that the downloaded HTA file is automatically launched upon system startup, guaranteeing persistence. Once the PowerShell script is executed, it reconstructs a shellcode loader that ultimately launches the Remcos RAT payload entirely in memory. This fileless technique, where malicious code operates directly in the computer's memory, allows the malware to evade many traditional security solutions that rely on disk-based detection. Remcos RAT grants attackers full control over compromised systems, allowing for cyber espionage and data theft through features like keylogging, screenshot capture, and clipboard monitoring. The RAT establishes a TLS connection to a command-and-control server for persistent communication, enabling data exfiltration and remote control.
Share:
References :
Classification:
|