Fileless Remcos Rat Attack Evades Antivirus Using Powershell Scripts

A caller activity of attacks uses PowerShell and LNK files to secretly instal Remcos RAT, enabling afloat distant power and surveillance of infected systems.

Cybersecurity experts astatine nan Qualys Threat Research Unit (TRU) person precocious uncovered a blase cyberattack that utilizes nan scripting connection PowerShell to secretly instal Remcos RAT (Remote Access Trojan).

This method allows attackers to run undetected by galore accepted antivirus programs because nan malicious codification runs straight successful nan computer’s memory, leaving very fewer traces connected nan difficult drive. 

For your information, Remcos RAT is simply a powerful instrumentality that cybercriminals use to summation complete power complete infected computers. Once installed, it allows them to spy connected victims, bargain data, and execute different harmful actions.

According to nan Qualys TRU analysis, nan onslaught originates erstwhile a personification opens a harmful record wrong a ZIP archive, new-tax311.ZIP, which contains a shortcut record ‘new-tax311.lnk.’ Clicking this .LNK record doesn’t unfastened a normal program. Instead, it uses a Windows instrumentality called ‘mshta.exe’ to tally a confusing (obfuscated) PowerShell script.

This book prepares nan machine to get infected pinch Remcos RAT. First, it tries to weaken Windows Defender by telling it to disregard nan “C:/Users/Public/” folder. It besides changes PowerShell settings to let unsafe scripts to tally without informing and tries to tally secretly. To make judge nan Remcos RAT starts each clip nan machine is turned on, nan book adds accusation to nan Windows Registry.

Attack Flow (Source: Qualys TRU)

The book besides downloads respective files to nan "C:/Users/Public/" folder. One mightiness beryllium a clone harmless record for illustration pp1.pdf. It besides downloads 2 cardinal files: 311.hta (set to tally astatine start-up and akin to ‘xlab22.hta’) and ‘24.ps1.’ The ‘24.ps1 record is nan main, hidden PowerShell book that contains nan Remcos RAT. This book uses typical Windows functions (Win32 APIs) to load and tally Remcos RAT straight successful nan computer’s memory, avoiding discovery by file-based security.

The Remcos RAT TRU researchers analysed is simply a 32-bit V6.0.0 programme designed to beryllium stealthy and springiness attackers power complete infected computers. It is simply a modular design, which intends it has different parts that tin execute different tasks. The programme besides stores encrypted data, which it decrypts erstwhile needed. 

This encrypted information contains nan distant server’s reside that it connects to (readysteaurantscom connected larboard 2025 utilizing a unafraid relationship called TLS), nan malware’s sanction (Remcos), and a typical codification (Rmc-7SY4AX) it uses to place if nan machine is already infected.

Remcos tin execute various harmful actions, including keylogging, copying clipboard content, taking screenshots, signaling from microphones and webcams, and stealing personification information. It besides tries to forestall information programs from analysing it.

Qualys TRU squad emphasizes that users should activate PowerShell logging and AMSI monitoring (a Windows characteristic that helps observe malicious scripts) to beryllium turned on, and to usage a beardown EDR (Endpoint Detection and Response) solution for amended protection.

In a remark to Hackread.com, Xiaopeng Zhang, IPS Analyst and Security Researcher pinch Fortinet’s FortiGuard Labs, stated “The attackers down Remcos are evolving their tactics. Instead of exploiting nan CVE-2017-0199 vulnerability done malicious Excel attachments, they now usage deceptive LNK files disguised pinch PDF icons to lure victims into executing a malicious HTA file.“

Xiaopeng warned that “PowerShell continues to play a domiciled successful nan campaign. However, nan latest version adopts a fileless approach, utilizing PowerShell to parse and execute Remcos straight successful representation via nan CallWindowProc() API. This marks a displacement from erstwhile methods, wherever Remcos was downloaded arsenic a record earlier execution.“