New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack

New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack

Briefly

""The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a technical report shared with The Hacker News. "These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor-protected assembly, and used to fetch and apply a remote Remcos configuration. The final stage leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution, after which the Remcos RAT backdoor is fully deployed and takes control of the compromised system.""

""The activity is assessed to be broad and opportunistic, primarily targeting enterprise and small-to-medium business environments. The tooling and tradecraft align with typical initial access brokers, who obtain footholds to target environments and sell them off to other actors for financial gain. That said, there is no evidence to attribute it to a known threat group.""

""The infection sequence begins with the retrieval and execution of an obfuscated Visual Basic Script ("win64.vbs") that's likely triggered by means of user interaction, such as clicking on a link delivered via socially engineered lures. The script, run using "wscript.exe," functions as a lig""