Cybersecurity researchers have identified a sophisticated campaign leveraging the Remcos RAT (Remote Control and Surveillance) that employs multi-stage obfuscation and trusted Windows binaries to achieve a stealthy, in-memory system compromise. This advanced attack chain begins with a deceptive phishing email and culminates in a deep system infiltration with minimal on-disk footprint, making it particularly challenging for traditional security measures to detect.
The Remcos RAT, known for its capabilities in data theft, keystroke logging, and remote system control, is here used in a novel delivery method. Instead of relying on readily identifiable malicious files, this operation meticulously chains together layers of obfuscated scripts and legitimate system tools to bypass defenses. The campaign was brought to light by the LAT61 Threat Intelligence Team at Point Wild, who analyzed a malicious email attachment that initiated the stealthy infection.
Multi-Stage Infection Mechanism: From Phishing to In-Memory Execution
The attack commences with the user opening a phishing email containing a ZIP attachment disguised as a business document, titled “MV MERKET COOPER SPECIFICATION.zip.” Upon extraction, this archive reveals a heavily obfuscated JavaScript file, “MV MERKET COOPER SPECIFICATION.js.” The obfuscation techniques, including string-mapping functions and encoded arrays, are designed to conceal the script’s malicious intent.
When executed via Windows Script Host, this JavaScript file establishes a chain of operations. It utilizes ActiveX objects to manage HTTP communications, execute commands, and perform file operations. Subsequently, it contacts the domain almacensantangel[.]com to download a remote PowerShell script named ENCRYPT.Ps1. This PowerShell script serves as the primary loader for the Remcos RAT payload.
The ENCRYPT.Ps1 script employs multiple layers of obfuscation to reconstruct the Remcos RAT payload entirely within the victim’s memory, thereby avoiding the creation of malicious files on the disk, a common detection vector. The core payload is stored as a large Base64-encoded string within a variable named $securecontainer. A series of decoding functions, including $base64reconstruction, a rotational XOR function with a shifting key, and a $masterdecoder function, progressively decrypt and assemble the malicious code.
.webp.jpeg)
The $executionhandler function then executes the fully recovered script via Invoke-Expression, incorporating fallback mechanisms to ensure execution. The decrypted content reveals a .NET assembly, ALTERNATE.dll, which is loaded directly into memory using .NET Reflection APIs. This memory-only execution bypasses host-based intrusion detection systems that monitor for file system changes.
.webp.jpeg)
A secondary payload, Cqeqpvzeia.exe, embedded as a raw byte array with an “MZ” PE signature, is injected into “aspnet_compiler.exe.” This is a legitimate Microsoft .NET compilation tool, effectively employing a Living-off-the-Land (LotL) technique. By abusing this trusted binary, the attackers ensure that all subsequent command and control (C2) communication blends in with normal system operations, significantly raising the bar for detection.
.webp.jpeg)
Indicators of Compromise and Mitigation Strategies
Once fully deployed, the Remcos RAT establishes a persistent connection to a remote C2 server located at 192[.]3[.]27[.]141:8087, actively exchanging data. Evidence of the malware’s operation is found in the creation of a log file at C:ProgramDataremcoslogs.dat, which records captured keystrokes and other system information, indicating active data staging for exfiltration.
.webp.jpeg)
Organizations are advised to bolster their defenses by monitoring PowerShell execution events closely, paying particular attention to commands that employ Base64 encoding or execution policy bypass flags. Suspicious outbound connections originating from system utilities like aspnet_compiler.exe to unrecognized external hosts should be investigated immediately. The presence of the file C:ProgramDataremcoslogs.dat is a strong indicator of compromise.
To contain this threat effectively, security teams should implement measures to block known malicious URLs, hashes, and C2 infrastructure as provided in indicators of compromise (IOC) tables. This proactive approach is vital in preventing the successful exfiltration of sensitive data and maintaining system integrity against sophisticated persistent threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
