Fileless Remcos RAT Attack Evades Antivirus Using PowerShell Scripts

A new wave of attacks uses PowerShell and LNK files to secretly install Remcos RAT, enabling full remote control and surveillance of infected systems.

Cybersecurity experts at the Qualys Threat Research Unit (TRU) have recently uncovered a sophisticated cyberattack that utilizes the scripting language PowerShell to secretly install Remcos RAT (Remote Access Trojan).

This method allows attackers to operate undetected by many traditional antivirus programs because the malicious code runs directly in the computer’s memory, leaving very few traces on the hard drive.

For your information, Remcos RAT is a powerful tool that cybercriminals use to gain complete control over infected computers. Once installed, it allows them to spy on victims, steal data, and perform other harmful actions.

According to the Qualys TRU analysis, the attack begins when a user opens a harmful file inside a ZIP archive, new-tax311.ZIP, which contains a shortcut file ‘new-tax311.lnk.’ Clicking this .LNK file doesn’t open a normal program. Instead, it uses a Windows tool called ‘mshta.exe’ to run a confusing (obfuscated) PowerShell script.

This script prepares the computer to get infected with Remcos RAT. First, it tries to weaken Windows Defender by telling it to ignore the “C:/Users/Public/” folder. It also changes PowerShell settings to allow unsafe scripts to run without warning and tries to run secretly. To make sure the Remcos RAT starts every time the computer is turned on, the script adds information to the Windows Registry.

Attack Flow (Source: Qualys TRU)

The script also downloads several files to the “C:/Users/Public/” folder. One might be a fake harmless file like pp1.pdf. It also downloads two key files: 311.hta (set to run at start-up and similar to ‘xlab22.hta’) and ‘24.ps1.’ The ‘24.ps1 file is the main, hidden PowerShell script that contains the Remcos RAT. This script uses special Windows functions (Win32 APIs) to load and run Remcos RAT directly in the computer’s memory, avoiding detection by file-based security.

The Remcos RAT TRU researchers analysed is a 32-bit V6.0.0 program designed to be stealthy and give attackers control over infected computers. It is a modular design, which means it has different parts that can perform different tasks. The program also stores encrypted data, which it decrypts when needed.

This encrypted data contains the remote server’s address that it connects to (readysteaurantscom on port 2025 using a secure connection called TLS), the malware’s name (Remcos), and a special code (Rmc-7SY4AX) it uses to identify if the computer is already infected.

Remcos can perform various harmful actions, including keylogging, copying clipboard content, taking screenshots, recording from microphones and webcams, and stealing user information. It also tries to prevent security programs from analysing it.

In their research, Qualys TRU team emphasized that users should activate PowerShell logging and AMSI monitoring (a Windows feature that helps detect malicious scripts) to be turned on, and to use a strong EDR (Endpoint Detection and Response) solution for better protection.

In a comment to Hackread.com, Xiaopeng Zhang, IPS Analyst and Security Researcher with Fortinet’s FortiGuard Labs, stated “The attackers behind Remcos are evolving their tactics. Instead of exploiting the CVE-2017-0199 vulnerability through malicious Excel attachments, they now use deceptive LNK files disguised with PDF icons to lure victims into executing a malicious HTA file.“

Xiaopeng warned that “PowerShell continues to play a role in the campaign. However, the latest variant adopts a fileless approach, using PowerShell to parse and execute Remcos directly in memory via the CallWindowProc() API. This marks a shift from previous methods, where Remcos was downloaded as a file before execution.“