New Malware Campaign Delivers Remcos Rat Through Multi-stage

Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access.

"The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a technical report shared with The Hacker News.

"These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly, and used to fetch and apply a remote Remcos configuration. The final stage leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution, after which the Remcos RAT backdoor is fully deployed and takes control of the compromised system."

The activity is assessed to be broad and opportunistic, primarily targeting enterprise and small-to-medium business environments. The tooling and tradecraft align with typical initial access brokers, who obtain footholds to target environments and sell them off to other actors for financial gain. That said, there is no evidence to attribute it to a known threat group.

The most unusual aspect of the campaign is the reliance on intermediate text-only stagers, coupled with the use of PowerShell for in-memory reconstruction and a .NET Reactor–protected reflective loader, to unpack subsequent phases of the attack with an aim to complicate detection and analysis efforts.

The infection sequence begins with the retrieval and execution of an obfuscated Visual Basic Script ("win64.vbs") that's likely triggered by means of user interaction, such as clicking on a link delivered via socially engineered lures. The script, run using "wscript.exe," functions as a lightweight launcher for a Base64-encoded PowerShell payload.

The PowerShell script subsequently employs System.Net.WebClient to communicate with the same server used to fetch the VBS file and drop a text-based payload named "qpwoe64.txt" (or "qpwoe32.txt" for 32-bit systems) in the machine's %TEMP% directory.

"The script then enters a loop where it validates the file's existence and size," Securonix explained. "If the file is missing or below the configured length threshold (minLength), the stager pauses execution and re-downloads

Source: The Hacker News