Cybercriminals are increasingly leveraging PowerShell-based loaders and proxy execution through mshta.exe to deploy the stealthy Remcos RAT, which operates entirely in memory to evade traditional defenses. This malware uses advanced persistence, evasion, and data theft techniques, highlighting the importance of behavioral detection and robust endpoint protection. #Remcos #PowerShellLoader #MSHTA #Rmc7SY4AX
Keypoints
- Remcos RAT is delivered via weaponized LNK files embedded in ZIP archives, employing mshta.exe for initial proxy execution and stealth.
- A newly discovered PowerShell-based shellcode loader loads Remcos directly into memory, bypassing Windows Defender and executing obfuscated payloads without disk artifacts.
- Remcos exploits persistence through registry run keys, UAC bypass using ICMLuaUtil COM objects, and process hollowing into svchost.exe for stealthy execution.
- The malware features multiple modules including keylogging, screenshot capture, clipboard access, webcam and microphone recording, and credential theft from browsers.
- Network communication occurs over TLS with the C2 server readysteaurants[.]com on port 2025, using encrypted commands and maintaining keep-alive connections.
- Remcos uses anti-analysis techniques such as vectored exception handling, debugger detection, and dynamic API resolution to evade detection and analysis.
- Qualys EDR and EPP solutions are effective in detecting and mitigating this threat, emphasizing the need for PowerShell logging, AMSI monitoring, and behavioral threat hunting.
MITRE Techniques
- [T1547.001] Registry Run Keys / Startup Folder â Malware creates registry entries to maintain persistence (âThe malware modifies the Windows Registry using the following commandâ).
- [T1218.005] System Binary Proxy Execution: Mshta â Initial execution via mshta.exe running obfuscated HTA files (âMSHTA.exe executes obfuscated hta fileâ).
- [T1105] Ingress Tool Transfer â Downloads PowerShell payloads and other files into victimâs public directory (âhta downloads multiple payloads into âC:/Users/Public/â directoryâ).
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers â Extracts browser credentials from logins.json and key3.db files (ââŚscans browser directories using FindFirstFile() and FindNextFile() to steal saved credentialsâ).
- [T1513] Screen Capture â Captures screenshots of victimâs desktop (âIt logs keystrokes⌠captures clipboard data, screenshotsâŚâ).
- [T1512] Video Capture â Accesses webcam to capture frames (ââŚcan track user idle time, access the webcam to capture framesâ).
- [T1560] Archive Collected Data â Logs and sends collected keylogger data and other captured files to C2 (âLogged data is saved in a file and sent to the C&C serverâ).
- [T1059.001] Command and Scripting Interpreter: PowerShell â Uses PowerShell scripts to reconstruct and execute shellcode (ââŚdownloads PowerShell script into the âC:/Users/Public/â directoryâŚâ).
- [T1055.012] Process Injection: Process Hollowing â Injects its code into svchost.exe for evasion (âIt will perform process injection of its own file into svchost.exe using Process Hollowingâ).
- [T1027] Obfuscated Files or Information â Uses heavy obfuscation in PowerShell and encrypted data sections (âThe downloaded PowerShell payload 24.ps1 is heavily obfuscatedâŚâ).
- [T1020] Automated Exfiltration â Exfiltrates data via encrypted network connections (âOnce the connection is established⌠Remcos server continues sending packetsâ).
- [T1417.001] Keylogging â Implements a keyboard hook to log keystrokes (âIt logs keystrokes by setting a keyboard hook using SetWindowsHookExAâ).
- [T1027.001] Binary Padding â Uses padding with null bytes in shellcode for obfuscation (âThe shellcode Loader of 104 KB is padded with numerous null bytesâ).
- [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control â Attempts UAC bypass using ICMLuaUtil Elevated and COM objects (âAttempts to bypass UAC by leveraging âICMLuaUtil Elevatedâ and COM object techniquesâ).
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution â Dynamically resolves APIs during execution for stealth (âUses the function âCallWindowProcWâ and dynamically constructs API namesâ).
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File â Stores encrypted configuration data in resource sections (âThe resource section has encrypted data in âRCData->settingâ sectionâ).
Indicators of Compromise
- [File Hash] Malicious samples â SHA-256 Remcos PE file: ab8caac901b477c08934ec63978400eb369efb655114805ccba28c48272e5dad, PowerShell script 24.ps1: b63178f562b948b850f4676d4b8db1c024.ps1, HTA file: xlab22.hta (example of initial loader).
- [File Name] Delivered files â Weaponized LNK files embedded in ZIP archives containing malicious HTA and PowerShell scripts, e.g., xlab22.hta, 311.hta.
- [Domain] Command and Control â readysteaurants[.]com used for TLS communication over port 2025.
- [Mutex] Persistence and infection check â Mutex named Rmc-7SY4AX to prevent multiple infections on the same system.
- [IP Address] Network connections â Example IPs include 193.142.146.101 and 162.254.39.129 involved in C2 or threat activity.