Cybersecurity experts have unveiled a new malware campaign leveraging PowerShell for deploying a remote access trojan (RAT) called Remcos. The campaign utilizes tax-related lures to trick users into opening malicious ZIP files containing LNK files disguised as legitimate documents. The attack utilizes mshta.exe for executing an obfuscated HTA file which downloads a PowerShell script alongside other files, ultimately allowing full control over compromised systems. Remcos RAT is notorious for its effectiveness in cyber espionage and data theft, maintaining a channel for data exfiltration through a command-and-control server.
"Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report.
The attack chain leverages mshta.exe for proxy execution during the initial stage.
'Remcos RAT is a well-known malware that offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft.'
This is not the first time fileless versions of Remcos RAT have been spotted in the wild.
Collection
[
|
...
]