Fileless Remcos Attacks on the Rise

MITRE Techniques

• [T1566] Phishing – Email with an archive attachment “EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz” was used to deliver the initial payload.
• [T1204.002] User Execution: Malicious File – The victim extracted and executed a batch file from the archive which launched the next-stage PowerShell script.
• [T1059.001] PowerShell – Obfuscated PowerShell script executed hidden PowerShell process, used custom de-obfuscation and Invoke-Expression to run downloaded payload (‘…the script reads the content of this file, Base64 decodes it, and then attempts to decompress it using GZip…passed to Invoke-Expression…’).
• [T1105] Ingress Tool Transfer – The PowerShell script downloaded Sluknin.afm from hxxps://icebergtbilisi.ge and repeatedly retried until successful (‘…attempts to download a file from hxxps://icebergtbilisi.ge/Sluknin.afm to this path in a continuous loop…’).
• [T1569.002] Service Execution: Msiexec – PowerShell launched msiexec.exe to run the next-stage payload (PowerShell launches msiexec.exe as shown…).
• [T1055.012] Process Hollowing – msiexec.exe performed process hollowing to inject code into RMClient.exe to execute Remcos (‘…msiexec.exe used process hollowing to inject itself into RmClient.exe.’).
• [T1083] File and Directory Discovery / [T1530] Data from Information Repositories – Remcos attempted to access browser saved password files to steal credentials (the injected code is Remcos RAT trying to access browser saved password files…).
• [T1071.001] Application Layer Protocol: Web Protocols – msiexec initiated HTTP GET requests to C2 domains with custom User-Agent while retrieving random file names (GET request to malicious C2 domain and User-Agent used…).