A brand new and misleading multi-stage malware marketing campaign has been recognized by the Lat61 Risk Intelligence workforce at safety agency Level Wild. The assault makes use of a intelligent method involving malicious Home windows Shortcut, or LNK, information, a easy pointer to a program or file, to ship a harmful remote-access trojan (RAT) often known as REMCOS.
The analysis, led by Dr. Zulfikar Ramzan, the CTO of Level Wild, and shared with Hackread.com, reveals that the marketing campaign begins with a seemingly innocent shortcut file, presumably hooked up to an e-mail, with a filename like “ORDINE-DI-ACQUIST-7263535.”
When a consumer clicks on it, the LNK file discreetly runs a PowerShell command within the background. On your info, PowerShell is a robust command-line instrument Home windows utilises for job automation; nonetheless, on this assault, it’s used to obtain/decode a hidden payload.
This command is designed to obtain and decode a hidden payload with out triggering safety alerts, saving any information, or utilizing macros. The analysis offers particular file hashes for this LNK file, together with MD5: ae8066bd5a66ce22f6a91bd935d4eee6, to assist in detection.
The Assault’s Hidden Layers:
This marketing campaign is designed to be stealthy by utilizing just a few totally different layers of disguise. After the preliminary PowerShell command runs, it fetches a Base64-encoded payload from a distant server. It is a widespread technique to disguise malicious code in plain sight, as Base64 is an ordinary technique for encoding binary information into textual content.
As soon as the payload is downloaded and decoded, it’s launched as a Program Info File or .PIF file, which is a sort of executable usually used for older applications. The attackers disguised this file as CHROME.PIF mimicking a reliable program.
This ultimate step installs the REMCOS backdoor, giving attackers full management of the compromised system. The malware additionally ensures its persistence on the system by making a log file for its keystroke recording in a brand new Remcos folder beneath the %ProgramData% listing.
What the REMCOS Backdoor Can Do
As soon as put in, the REMCOS backdoor grants the attackers in depth management over the sufferer’s pc. The risk intelligence report notes that it will possibly carry out a variety of malicious actions, together with keylogging to steal passwords, making a distant shell for direct entry, and getting access to information.
Moreover, the REMCOS backdoor permits the attackers to regulate the pc’s webcam and microphone, enabling them to spy on the consumer. The analysis additionally revealed that the command and management (C2) infrastructure for this particular marketing campaign is hosted in Romania and the US.
This discovering highlights the necessity for warning, as these assaults can originate from wherever on this planet. Researchers advocate that customers keep cautious with shortcut information from untrusted sources, double-check attachments earlier than opening them, and use up to date antivirus software program with real-time safety.
