A brand new and misleading multi-stage malware marketing campaign has been recognized by the Lat61 Menace Intelligence crew at safety agency Level Wild. The assault makes use of a intelligent approach involving malicious Home windows Shortcut, or LNK, information, a easy pointer to a program or file, to ship a harmful remote-access trojan (RAT) generally known as REMCOS.
The analysis, led by Dr. Zulfikar Ramzan, the CTO of Level Wild, and shared with Hackread.com, reveals that the marketing campaign begins with a seemingly innocent shortcut file, presumably hooked up to an e mail, with a filename like “ORDINE-DI-ACQUIST-7263535.”
When a consumer clicks on it, the LNK file discreetly runs a PowerShell command within the background. In your data, PowerShell is a robust command-line instrument Home windows utilises for job automation; nonetheless, on this assault, it’s used to obtain/decode a hidden payload.
This command is designed to obtain and decode a hidden payload with out triggering safety alerts, saving any information, or utilizing macros. The analysis supplies particular file hashes for this LNK file, together with MD5: ae8066bd5a66ce22f6a91bd935d4eee6, to assist in detection.
The Assault’s Hidden Layers:
This marketing campaign is designed to be stealthy through the use of just a few completely different layers of disguise. After the preliminary PowerShell command runs, it fetches a Base64-encoded payload from a distant server. It is a widespread option to cover malicious code in plain sight, as Base64 is a normal technique for encoding binary knowledge into textual content.
As soon as the payload is downloaded and decoded, it’s launched as a Program Data File or .PIF file, which is a sort of executable usually used for older packages. The attackers disguised this file as CHROME.PIF mimicking a professional program.
This ultimate step installs the REMCOS backdoor, giving attackers full management of the compromised system. The malware additionally ensures its persistence on the system by making a log file for its keystroke recording in a brand new Remcos folder beneath the %ProgramData% listing.
What the REMCOS Backdoor Can Do
As soon as put in, the REMCOS backdoor grants the attackers intensive management over the sufferer’s pc. The menace intelligence report notes that it may carry out a variety of malicious actions, together with keylogging to steal passwords, making a distant shell for direct entry, and getting access to information.
Moreover, the REMCOS backdoor permits the attackers to regulate the pc’s webcam and microphone, enabling them to spy on the consumer. The analysis additionally revealed that the command and management (C2) infrastructure for this particular marketing campaign is hosted in Romania and the US.
This discovering highlights the necessity for warning, as these assaults can originate from anyplace on the planet. Researchers advocate that customers keep cautious with shortcut information from untrusted sources, double-check attachments earlier than opening them, and use up to date antivirus software program with real-time safety.
