Working shellcode fully in reminiscence
As soon as the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded information–one is a shellcode loader, the opposite a PE file (Remcos RAT).
To run this fully in reminiscence, the script depends closely on native Home windows API capabilities, equivalent to VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed through PowerShell’s capacity to interface with unmanaged code.
Moreover, to remain underneath the radar, the malware takes a sneakier route: as an alternative of overtly itemizing the Home windows instruments (APIs) it plans to make use of, it hunts them down in reminiscence on the fly. This trick, referred to as “strolling the method surroundings block (PEB),” helps it escape scanners that search for apparent clues, like recognized file names or perform calls.
“This loader re-frames Remcos as an ephemeral plug-in somewhat than a resident implant,” Soroko added. “By shifting each stage of the tool-chain into transient reminiscence and dissolving the loader itself as soon as the session ends, the operators make forensic artifacts almost as disposable because the lure ZIP.”
