- US companies are helping Saudi Arabia to build an AI powerhouse
- My favorite Garmin feature comes to its new Forerunner watch
- Trade in your phone to Verizon and get almost any new phone for free - here's how
- Beyond Recognition: Celebrating Cisco's Women Channel Leaders in 2025
- AMD, Nvidia partner with Saudi startup to build multi-billion dollar AI service centers
PowerShell-Based Loader Deploys Remcos RAT in New Fileless Attack
A stealthy fileless malware attack leveraging PowerShell to deploy Remcos RAT has been observed bypassing traditional antivirus systems by operating entirely in memory, avoiding any obvious traces on disk.
The campaign, uncovered by the Qualys Threat Research Unit (TRU), begins with a ZIP archive containing a deceptive LNK file, disguised as a legitimate document.
Once executed, this file uses MSHTA.exe to launch an obfuscated VBScript, initiating a chain of events that includes:
-
Bypassing Windows Defender
-
Altering registry settings for persistence
-
Dropping multiple payloads into the public user directory
Among these payloads is a heavily obfuscated PowerShell script named 24.ps1, which builds a shellcode loader and executes a 32-bit variant of Remcos RAT directly in memory using Win32 APIs.
Advanced Memory Injection and Evasion
Remcos is deployed using custom shellcode that walks the Process Environment Block (PEB) to resolve API addresses dynamically. This technique allows it to evade static analysis and detection tools by avoiding hardcoded imports.
Once active, Remcos establishes a TLS connection to a command-and-control (C2) server at readysteaurants[.]com, maintaining a persistent channel for data exfiltration and control.
The malware features multiple modules for command execution, keylogging, webcam access and clipboard theft. It also leverages UAC bypass techniques, process hollowing into svchost.exe, and uses anti-debugging methods to thwart analysis.
Features of Remcos V6.0.0 Pro
The latest version of Remcos includes enhancements that bolster its effectiveness:
-
Group view for managing infected hosts
-
Unique UID for each instance
-
Privilege level display
-
Public IP visibility
-
Improved idle-time tracking
Configuration data, stored in encrypted form within the binary, includes server addresses, operational flags and keylogging settings. Notably, it logs keystrokes and browser data, targeting files like logins.json and key3.db.
“Remcos RAT is a stealthy, PowerShell-based malware that uses advanced evasion techniques to avoid detection. It operates in memory, making it hard to catch with security tools. This highlights the importance of monitoring LNK files, MSHTA abuse, registry changes, and unusual PowerShell activity,” Qualys warned.
“To stay protected, ensure PowerShell logging, AMSI monitoring and strong EDR solutions are in place. Early detection is key to stopping threats like Remcos.”
