Fileless Attack Utilizes Remcos RAT Through PowerShell Loader
Kaspersky, a renowned cybersecurity organization, has recently uncovered a stealthy fileless malware attack that deploys the Remcos Remote Access Tool (RAT) using PowerShell. This attack bypasses traditional antivirus systems, making it a significant threat to computer security.
The malware, Remcos, is deployed using custom shellcode that walks the Process Environment Block (PEB) to resolve API addresses dynamically. This technique allows Remcos to evade static analysis and detection tools by avoiding hardcoded imports.
Remcos V6.0.0 Pro, the latest version of this malware, comes with several advanced features. Each instance of Remcos V6.0.0 Pro has a unique UID, and it displays the privilege level of each instance. Improved idle-time tracking is another feature of Remcos V6.0.0 Pro.
The attack begins with a ZIP archive containing a deceptive LNK file disguised as a legitimate document. Once executed, the LNK file uses MSHTA.exe to launch an obfuscated VBScript. This initiates a chain of events including bypassing Windows Defender, altering registry settings for persistence, and dropping multiple payloads into the public user directory. Among these payloads is a heavily obfuscated PowerShell script named 24.ps1.
24.ps1 builds a shellcode loader and executes a 32-bit variant of Remcos RAT directly in memory using Win32 APIs. Remcos V6.0.0 Pro uses UAC bypass techniques, process hollowing into svchost.exe, and anti-debugging methods to ensure its stealthy operation.
Once active, Remcos establishes a TLS connection to a command-and-control (C2) server at . The configuration data in Remcos V6.0.0 Pro includes server addresses, operational flags, and keylogging settings.
Remcos V6.0.0 Pro includes multiple modules for command execution, keylogging, webcam access, and clipboard theft. It also logs keystrokes and browser data, targeting files like and .
One of the concerning features of Remcos V6.0.0 Pro is its ability to maintain a persistent channel for data exfiltration and control. Public IP visibility is another feature of this malware, potentially allowing attackers to track infected systems more easily.
Moreover, the latest version of Remcos features a group view for managing infected hosts, suggesting that this malware is being used in large-scale attacks. The configuration data in Remcos V6.0.0 Pro is encrypted and stored within the binary, adding another layer of complexity to its analysis and detection.
As always, it's crucial to remain vigilant and practise safe computing habits to protect against such threats. Regularly updating antivirus software, being cautious with email attachments and downloads, and keeping systems and software up-to-date can help mitigate the risks of such attacks.
