Cybercriminals are increasingly utilizing fileless techniques to deploy the Remcos Remote Access Trojan (RAT) through PowerShell and LNK files. This sophisticated attack method allows them to bypass traditional antivirus defenses, operating entirely in memory and leaving minimal traces on disk.

Key Takeaways

• Fileless Attack Method: Utilizes PowerShell and LNK files to deliver Remcos RAT.

• Evasion Techniques: Operates in memory, avoiding detection by traditional antivirus systems.

• Persistence Mechanisms: Modifies registry settings to ensure the malware runs on startup.

• Advanced Capabilities: Remcos RAT can log keystrokes, capture screenshots, and exfiltrate sensitive data.

Overview of the Attack

The recent campaign begins with the distribution of a malicious ZIP archive containing a deceptive LNK file, which masquerades as a legitimate document. When executed, this file triggers the Windows utility to run an obfuscated VBScript. This script is designed to bypass Windows Defender and modify registry settings for persistence.

Execution Flow

1. Initial Infection: The user opens a ZIP file containing a malicious LNK file.

2. Script Execution: The LNK file executes mshta.exe, which runs an obfuscated VBScript.

3. Payload Delivery: The script downloads multiple payloads, including the Remcos RAT, into the C:/Users/Public/ directory.

4. Memory Execution: The Remcos RAT is executed directly in memory, avoiding file-based detection.

Technical Analysis

The Remcos RAT operates using advanced techniques that allow it to evade detection:

• Dynamic API Resolution: The malware uses Windows API functions to resolve necessary addresses dynamically, making it harder for security tools to detect.

• Registry Modifications: It alters registry keys to ensure it runs at startup, maintaining persistence on the infected system.

• Data Exfiltration: Once active, Remcos establishes a secure connection to a command-and-control (C2) server, allowing attackers to exfiltrate data and maintain control over the infected machine.

Features of Remcos RAT V6.0.0

The latest version of Remcos includes several enhancements:

• Group Management: Allows attackers to organize infected machines into groups.

• Unique Identifiers: Each instance of Remcos has a unique UID for tracking.

• Improved Tracking: Enhanced idle-time tracking and visibility of the victim's public IP address.

• Keylogging and Surveillance: Capable of logging keystrokes, capturing screenshots, and accessing the webcam and microphone.

Recommendations for Defense

To mitigate the risks associated with this type of attack, organizations should implement the following measures:

• Enable PowerShell Logging: Monitor PowerShell activity to detect suspicious commands.

• Utilize AMSI: Activate the Antimalware Scan Interface to scan scripts in real-time.

• Deploy Robust EDR Solutions: Ensure endpoint detection and response systems are in place to identify and respond to threats quickly.

The emergence of fileless attacks utilizing PowerShell and LNK files highlights the evolving tactics of cybercriminals. By operating in memory and leveraging trusted system binaries, these threats pose significant challenges to traditional security measures. Organizations must adopt proactive monitoring and detection strategies to defend against such sophisticated intrusions.

As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT, Qualys.

• Updated Remcos RAT deployed in fileless intrusion, SC Media.

• PowerShell-Based Loader Deploys Remcos RAT in New Fileless Attack, Infosecurity Magazine.

• Fileless Remcos RAT Attack Evades Antivirus Using PowerShell Scripts, Hackread.

• Stealth RAT uses a PowerShell loader for fileless attacks, CSO Online.