Full Report
A stealthy fileless PowerShell attack using Remcos RAT bypassed antivirus by operating in memory
Analysis Summary
# Tool/Technique: Remcos RAT Deployment via PowerShell Fileless Attack
## Overview
This summary details a stealthy, fileless malware attack campaign that utilizes a multi-stage infection chain, beginning with a deceptive LNK file inside a ZIP archive, culminating in the in-memory deployment of the Remcos Remote Access Trojan (RAT) via an obfuscated PowerShell script. The attack focuses heavily on evasion by operating entirely in memory.
## Technical Details
- Type: Malware Payload (Remcos RAT) and Infection Technique (Fileless Loader)
- Platform: Windows
- Capabilities: Initial access via LNK/MSHTA, defense evasion (Windows Defender bypass), persistence via registry modification, in-memory execution of shellcode/RAT, dynamic API resolution, remote control.
- First Seen: Information not explicitly detailed in the provided text, but represents a "New" attack observed by Qualys TRU.
## MITRE ATT&CK Mapping
Mapping based on the observed initial execution and fileless nature:
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1564.003 - Hide Artifacts: Network Share Discovery (Implied by file paths for staging)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by altering registry settings)
- **TA0004 - Privilege Escalation** (Potential, often associated with RAT installation)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (e.g., TLS connection)
## Functionality
### Core Capabilities
- **Initial Access:** Leverages a deceptive ZIP containing a LNK file, which executes using `MSHTA.exe`.
- **Staging:** Launches an obfuscated VBScript that ultimately drops and executes `24.ps1` (PowerShell script) into the public user directory.
- **Payload Execution:** The PowerShell script builds and executes shellcode intended to load the 32-bit Remcos RAT directly into memory.
- **Persistence:** Alters Windows registry settings to ensure the malware or components survive reboots.
### Advanced Features
- **Fileless Operation:** The attack operates largely in memory, avoiding writing the main Remcos payload to disk, bypassing traditional antivirus scanning.
- **Evasion:** Includes specific steps for Bypassing Windows Defender.
- **Shellcode Loader:** Uses custom shellcode that dynamically resolves API addresses by "walking the Process Environment Block (PEB)". This avoids static import tables, frustrating analysis.
- **C2 Communication:** Remcos establishes a reliable channel using a TLS connection.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: `24.ps1` (Heavily obfuscated PowerShell script)
- Registry Keys: [Registry settings altered for persistence - specifics not provided]
- Network Indicators: `readysteaurants[.]com` (C2 server address)
- Behavioral Indicators: Execution chain starting from LNK -> MSHTA.exe -> VBScript -> PowerShell execution in memory; dynamic resolution of Win32 APIs via PEB walking.
## Associated Threat Actors
- Associated threat actor is not explicitly named in the context provided.
## Detection Methods
- **Signature-based detection:** Traditional AV may struggle due to fileless nature and obfuscation.
- **Behavioral detection:** Monitoring for suspicious launch patterns (like LNK executing MSHTA), creation of obfuscated PowerShell sessions downloading/executing shellcode, and registry modifications for persistence.
- **YARA rules:** Not provided, but would be useful for detecting specific shellcode or the Remcos payload signatures once decrypted in process memory.
## Mitigation Strategies
- **Prevention measures:** Blocking execution of files originating from ZIP/archived content until verified; disabling or carefully monitoring scripts launched via MSHTA.exe; restricting PowerShell execution policies where appropriate.
- **Hardening recommendations:** Implementing robust Endpoint Detection and Response (EDR) solutions capable of monitoring memory injection and script block logging for PowerShell. Maintaining up-to-date signatures for known Remcos variants.
## Related Tools/Techniques
- **Remcos RAT:** The final payload, a known Remote Access Trojan.
- **MSHTA.exe:** Used as an initial execution vector to execute embedded scripts.
- **PowerShell:** Used as a fileless, in-memory loader mechanism.