A brand new and misleading multi-stage malware marketing campaign has been recognized by the Lat61 Menace Intelligence workforce at safety agency Level Wild. The assault makes use of a intelligent approach involving malicious Home windows Shortcut, or LNK, recordsdata, a easy pointer to a program or file, to ship a harmful remote-access trojan (RAT) often known as REMCOS.
The analysis, led by Dr. Zulfikar Ramzan, the CTO of Level Wild, and shared with Hackread.com, reveals that the marketing campaign begins with a seemingly innocent shortcut file, presumably hooked up to an e-mail, with a filename like “ORDINE-DI-ACQUIST-7263535.”
When a consumer clicks on it, the LNK file discreetly runs a PowerShell command within the background. In your info, PowerShell is a strong command-line device Home windows utilises for job automation; nonetheless, on this assault, it’s used to obtain/decode a hidden payload.
This command is designed to obtain and decode a hidden payload with out triggering safety alerts, saving any recordsdata, or utilizing macros. The analysis gives particular file hashes for this LNK file, together with MD5: ae8066bd5a66ce22f6a91bd935d4eee6, to assist in detection.
The Assault’s Hidden Layers:
This marketing campaign is designed to be stealthy by utilizing a number of totally different layers of disguise. After the preliminary PowerShell command runs, it fetches a Base64-encoded payload from a distant server. It is a widespread strategy to conceal malicious code in plain sight, as Base64 is a normal methodology for encoding binary knowledge into textual content.
As soon as the payload is downloaded and decoded, it’s launched as a Program Data File or .PIF file, which is a sort of executable typically used for older packages. The attackers disguised this file as CHROME.PIF mimicking a authentic program.
This remaining step installs the REMCOS backdoor, giving attackers full management of the compromised system. The malware additionally ensures its persistence on the system by making a log file for its keystroke recording in a brand new Remcos folder beneath the %ProgramData% listing.
What the REMCOS Backdoor Can Do
As soon as put in, the REMCOS backdoor grants the attackers in depth management over the sufferer’s laptop. The risk intelligence report notes that it could carry out a variety of malicious actions, together with keylogging to steal passwords, making a distant shell for direct entry, and having access to recordsdata.
Moreover, the REMCOS backdoor permits the attackers to manage the pc’s webcam and microphone, enabling them to spy on the consumer. The analysis additionally revealed that the command and management (C2) infrastructure for this particular marketing campaign is hosted in Romania and the US.
This discovering highlights the necessity for warning, as these assaults can originate from wherever on this planet. Researchers suggest that customers keep cautious with shortcut recordsdata from untrusted sources, double-check attachments earlier than opening them, and use up to date antivirus software program with real-time safety.
