Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
Summary:
Cybercriminals are increasingly using PowerShell to conduct stealthy, fileless attacks that bypass traditional antivirus and endpoint defenses by executing code directly in memory. A recent campaign analyzed by Qualys Threat Research Unit demonstrates this trend through the deployment of Remcos RAT, a sophisticated remote access trojan known for its persistence and full system control capabilities. Cybercriminals are increasingly using PowerShell to conduct stealthy, fileless attacks that bypass traditional antivirus and endpoint defenses by executing code directly in memory. A recent campaign analyzed by Qualys Threat Research Unit demonstrates this trend through the deployment of Remcos RAT, a sophisticated remote access trojan known for its persistence and full system control capabilities. In this attack, adversaries used malicious LNK files embedded in ZIP archives, often disguised as Office documents, and leveraged mshta[.]exe to execute an obfuscated HTA file. This script disables Windows Defender protections, modifies the registry for persistence, and downloads additional payloads into the public user directory.
The primary payload is a PowerShell script that is heavily obfuscated and reconstructs two Base64-encoded blobs that contain a shellcode loader and a 32-bit PE file. The loader uses low-level Windows APIs such as VirtualAlloc and CallWindowProcW to execute code directly in memory while evading static imports by dynamically resolving API functions through traversal of the Process Environment Block. The decrypted payload is a new version of Remcos RAT, which operates via multiple threads and includes features such as keylogging, clipboard access, screenshot capture, microphone and webcam recording, and credential theft from browser storage. It establishes a connection to a command-and-control server using TLS and communicates using a custom protocol with specific command identifiers for a wide range of surveillance functions.
Security Officer Comments:
Remcos ensures persistence through registry modifications, mutex checks, and process hollowing into legitimate system processes. It also includes anti-analysis measures such as debugger detection and memory obfuscation. The malware's latest version, Remcos V6.0.0 Pro, introduces enhancements including group management of infected systems, unique identifiers for each instance, privilege display, and more precise idle time tracking.
Suggested Corrections:
Enable PowerShell Logging and AMSI Integration: Configure detailed script block and module logging via Group Policy. Integrate Antimalware Scan Interface to inspect and block malicious scripts at runtime.
Harden Email and File Attachments: Filter and block inbound emails containing executable content within archive files, particularly .LNK files embedded in ZIPs. Implement strong attachment scanning with sandboxing.
Monitor for Suspicious PowerShell and Registry Activity: Set upbehavioral detections for PowerShell processes writing to registry autorun keys or executing from uncommon directories, especially with hidden window flags or bypass policies.
Enforce Principle of Least Privilege (PoLP): Limit administrative privileges on endpoints. Ensure users do not have local admin rights unless strictly necessary.
Apply EDR and Network Monitoring: Use endpoint detection and response (EDR) solutions that track in-memory execution and detect anomalous behavior such as process injection, hollowing, and direct system call use.
Block Known Malicious Infrastructure: Monitor and block outbound connections to known command-and-control domains lnspect traffic for anomalies on non-standard ports
Regularly Update and Patch Systems: Ensure that all systems and software are up to date
Link(s):
https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html
Cybercriminals are increasingly using PowerShell to conduct stealthy, fileless attacks that bypass traditional antivirus and endpoint defenses by executing code directly in memory. A recent campaign analyzed by Qualys Threat Research Unit demonstrates this trend through the deployment of Remcos RAT, a sophisticated remote access trojan known for its persistence and full system control capabilities. Cybercriminals are increasingly using PowerShell to conduct stealthy, fileless attacks that bypass traditional antivirus and endpoint defenses by executing code directly in memory. A recent campaign analyzed by Qualys Threat Research Unit demonstrates this trend through the deployment of Remcos RAT, a sophisticated remote access trojan known for its persistence and full system control capabilities. In this attack, adversaries used malicious LNK files embedded in ZIP archives, often disguised as Office documents, and leveraged mshta[.]exe to execute an obfuscated HTA file. This script disables Windows Defender protections, modifies the registry for persistence, and downloads additional payloads into the public user directory.
The primary payload is a PowerShell script that is heavily obfuscated and reconstructs two Base64-encoded blobs that contain a shellcode loader and a 32-bit PE file. The loader uses low-level Windows APIs such as VirtualAlloc and CallWindowProcW to execute code directly in memory while evading static imports by dynamically resolving API functions through traversal of the Process Environment Block. The decrypted payload is a new version of Remcos RAT, which operates via multiple threads and includes features such as keylogging, clipboard access, screenshot capture, microphone and webcam recording, and credential theft from browser storage. It establishes a connection to a command-and-control server using TLS and communicates using a custom protocol with specific command identifiers for a wide range of surveillance functions.
Security Officer Comments:
Remcos ensures persistence through registry modifications, mutex checks, and process hollowing into legitimate system processes. It also includes anti-analysis measures such as debugger detection and memory obfuscation. The malware's latest version, Remcos V6.0.0 Pro, introduces enhancements including group management of infected systems, unique identifiers for each instance, privilege display, and more precise idle time tracking.
Suggested Corrections:
Enable PowerShell Logging and AMSI Integration: Configure detailed script block and module logging via Group Policy. Integrate Antimalware Scan Interface to inspect and block malicious scripts at runtime.
Harden Email and File Attachments: Filter and block inbound emails containing executable content within archive files, particularly .LNK files embedded in ZIPs. Implement strong attachment scanning with sandboxing.
Monitor for Suspicious PowerShell and Registry Activity: Set upbehavioral detections for PowerShell processes writing to registry autorun keys or executing from uncommon directories, especially with hidden window flags or bypass policies.
Enforce Principle of Least Privilege (PoLP): Limit administrative privileges on endpoints. Ensure users do not have local admin rights unless strictly necessary.
Apply EDR and Network Monitoring: Use endpoint detection and response (EDR) solutions that track in-memory execution and detect anomalous behavior such as process injection, hollowing, and direct system call use.
Block Known Malicious Infrastructure: Monitor and block outbound connections to known command-and-control domains lnspect traffic for anomalies on non-standard ports
Regularly Update and Patch Systems: Ensure that all systems and software are up to date
Link(s):
https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html