Ethical Hacking News
A new wave of sophisticated fileless malware attacks has emerged, leveraging PowerShell-based shellcode loaders and Remcos RAT to bypass traditional security defenses. This complex attack vector demands attention from organizations seeking to safeguard their systems against evolving threat landscapes.
The rise of sophisticated and cunning malware attacks is leading to a surge in fileless malware attacks that can evade traditional security measures. A new malware campaign uses PowerShell-based shellcode loaders to deploy the notorious Remcos RAT, bypassing conventional defenses. Threat actors are using innovative tactics such as mshta.exe and obfuscated HTA files to deliver malicious payloads. Remcos RAT offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft. The emergence of fileless versions of Remcos RAT underscores the need for advanced email security measures such as detecting and blocking malicious LNK attachments. The use of bitmap resources to conceal malicious payloads represents a steganography technique that can bypass traditional security mechanisms. Threat actors are utilizing phishing campaigns, trojanized software, and booby-trapped documents to deliver malware. The rise of AI-powered campaigns is leading to the development of polymorphic tricks that mutate in real-time to sidestep detection efforts.
The world of cybersecurity has witnessed an unprecedented surge in sophisticated and cunning attacks, with malware actors employing innovative tactics to evade traditional security measures. A recent report by Qualys security researcher Akshay Thorve shed light on a new malware campaign that leverages PowerShell-based shellcode loaders to deploy the notorious Remcos RAT (Remote Access Trojan). This article delves into the intricacies of this fileless malware attack and its implications for organizations.
The attackers' strategy involved delivering malicious LNK files embedded within ZIP archives, often disguised as Office documents. The ZIP archive contained a Windows shortcut (LNK) file, which in turn employed mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA), to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server. This process entailed Visual Basic Script code that downloaded a PowerShell script, a decoy PDF, and another HTA file called "311.hta." The HTA file was configured to make Windows Registry modifications to ensure the automatic launch of "311.hta" upon system startup.
The PowerShell script executed subsequent steps, including decoding and reconstructing a shellcode loader. This ultimately led to the launch of the Remcos RAT payload entirely in memory. The malware offered threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft.
Remcos RAT is a well-known malware that features a modular structure and can gather system metadata, log keystrokes, capture screenshots, monitor clipboard data, and retrieve a list of all installed programs and running processes. Furthermore, it established a persistent TLS connection to a command-and-control (C2) server at "readysteaurants[.]com," enabling the malware to maintain ongoing channels for data exfiltration and control.
The emergence of fileless versions of Remcos RAT is not a new phenomenon, as Fortinet FortiGuard Labs detailed a phishing campaign in November 2024 that employed order-themed lures to deliver the malware. However, this latest attack represents an evolution of threat actors' tactics, leveraging PowerShell-based shellcode loaders and mshta.exe to bypass conventional defenses.
The rise of PowerShell-based attacks like the new Remcos RAT variant underscores the need for advanced email security measures, such as detecting and blocking malicious LNK attachments before they reach users. Real-time scanning of PowerShell commands for suspicious behaviors is also crucial in preventing these types of attacks.
Moreover, the disclosure comes as Palo Alto Networks Unit 42 and Threatray detailed a .NET loader used to detonate a wide range of commodity information stealers and RATS, including Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. This loader features three stages that operate in tandem to deploy the final-stage payload: A .NET executable that embeds the second and third stages in encrypted form, a .NET DLL that decrypts and loads the next stage, and a .NET DLL that manages the deployment of the main malware.
The use of bitmap resources to conceal malicious payloads represents a steganography technique that can bypass traditional security mechanisms and evade detection. This finding coincides with the emergence of several phishing campaigns engineered for credential theft and malware delivery.
Threat actors have been utilizing trojanized versions of KeePass password management software, codenamed KeeLoader, to drop a Cobalt Strike beacon and steal sensitive KeePass database data, including administrative credentials. Additionally, malicious installers are hosted on KeePass typosquat domains served via Bing ads, while ClickFix lures and URLs embedded within PDF documents deploy Lumma Stealer.
Booby-trapped Microsoft Office documents are used to deploy the Formbook information stealer protected by a malware distribution service referred to as Horus Protector. Furthermore, phishing emails utilize blob URIs to locally load a credential phishing page via phishing emails, with the blob URIs served using allow-listed pages that redirect victims to a malicious site containing a link to a threat actor-controlled HTML page.
Moreover, RAR archives masquerading as setup files have been used in attacks targeting Ukraine and Poland to distribute NetSupport RAT. Phishing emails distributing HTML attachments contain malicious code to capture victims' Outlook, Hotmail, and Gmail credentials and exfiltrate them to a Telegram bot named "Blessed logs."
The rise of AI-powered campaigns has also been observed, with threat actors employing polymorphic tricks that mutate in real-time to sidestep detection efforts. These include modifying email subject lines, sender names, and body content to slip past signature-based detection.
"The AI gives threat actors the power to automate malware development, scale attacks across industries, and personalize phishing messages with surgical precision," Cofense said. "These evolving threats are increasingly able to bypass traditional email filters, highlighting the failure of perimeter-only defenses and the need for post-delivery detection."
In conclusion, this new wave of fileless malware attacks employing PowerShell-based shellcode loaders and Remcos RAT serves as a stark reminder of the evolving tactics employed by threat actors in their quest to evade detection. To stay ahead, organizations must invest in advanced security measures, including AI-powered solutions, to protect against these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Wave-of-Fileless-Malware-Attacks-PowerShell-Based-Shellcode-Loaders-and-Remcos-RAT-ehn.shtml
https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html
Published: Fri May 16 04:58:18 2025 by llama3.2 3B Q4_K_M
