Palo Alto Networks has printed an intensive malware evaluation tutorial detailing the dissection of a classy .NET-based menace that delivers the Remcos distant entry trojan (RAT).
The malware’s emergence highlights a development during which menace actors more and more abuse respectable growth environments and instruments—such because the Microsoft .NET runtime—to execute complicated, multi-stage an infection campaigns.
This explicit pattern demonstrates an elevated stage of evasion functionality, together with managed-to-unmanaged code transitions, runtime API decision, and course of injection in opposition to benign executables.
The assault chain begins with a seemingly innocuous .NET executable, obfuscated to hide its intent. This preliminary loader retrieves an internet payload masquerading as a PDF from a compromised Bitbucket repository.
As a substitute of doc information, the file incorporates Donut-generated shellcode designed to execute immediately in reminiscence. By avoiding disk writes, the attackers considerably scale back the chance of detection by conventional antivirus engines that depend on static signature scanning.
Palo Alto Networks analysts recognized the pattern throughout a focused menace searching operation and famous its capability to transition execution between totally different runtime environments, a trademark of superior intrusion strategies.
As soon as downloaded, the payload undergoes a easy ASCII-hexadecimal decoding routine to reconstruct the precise shellcode.
The loader makes use of .NET’s interop providers to invoke native Home windows API calls dynamically, allocating executable reminiscence with VirtualAlloc earlier than copying the decoded payload into it.
This mixture of obfuscated managed code and late-bound unmanaged calls complicates static evaluation, whereas additionally bypassing many heuristics that flag suspicious imports.
Palo Alto Networks researchers famous that this deliberate API decision at runtime allowed the attacker to omit delicate imports from the Transportable Executable (PE) header, additional evading static detection.
From a technical standpoint, the payload’s sophistication is obvious when inspecting the in-memory AMSI and ETW bypass routines.
In-memory AMSI and ETW bypass routines (Supply – GitHub)
AMSI features resembling AmsiScanBuffer are patched immediately in reminiscence with directions that power them to at all times return AMSI_RESULT_CLEAN.
A consultant snippet illustrates this patching mechanism:-
byte[] patch = { 0x33, 0xC0, 0xC2, 0x18, 0x00 }; // xor eax,eax; ret 0x18
Marshal.Copy(patch, 0, amsiScanBufferPtr, patch.Size);
This ensures that even when safety instruments hook these features, malicious buffers will seem innocent.
Equally, calls to EtwEventWrite are changed with a single ret instruction, successfully blinding Occasion Tracing for Home windows, which many endpoint detection merchandise use to correlate malicious behaviors.
One of the crucial technically intriguing points of the an infection mechanism is its creation of a Frequent Language Runtime (CLR) occasion from unmanaged shellcode.
CLRCreateInstance (Supply – GitHub)
After disabling defensive hooks, the shellcode makes use of CLRCreateInstance and ICLRMetaHost::GetRuntime to spawn a brand new .NET runtime throughout the similar course of, then masses an obfuscated .NET meeting into an AppDomain.
Persistence of this execution chain
The ultimate stage leverages the _Type.InvokeMember methodology to execute a particular entry level methodology inside that meeting, which in flip spawns InstallUtil.exe in a suspended state.
The persistence of this execution chain depends closely on course of injection. The malicious meeting writes a decrypted Remcos payload into the suspended course of’s reminiscence through a number of WriteProcessMemory calls earlier than altering the reminiscence safety again to PAGE_EXECUTE_READ with VirtualProtectEx and resuming execution.
This multi-chunk injection methodology could assist evade reminiscence scanners designed to detect massive, contiguous malicious allocations.
Whereas the dynamic evaluation, conclusively exhibits the Remcos RAT ASCII banner embedded within the injected executable, confirming the marketing campaign’s finish aim.
Remcos RAT ASCII banner (Supply – GitHub)
By strolling readers via each stage from preliminary obfuscation to last payload activation, Palo Alto Networks’ tutorial not solely dissects a dwell menace but additionally arms analysts with repeatable strategies for dissecting complicated, hybrid-runtime malware.
This launch stands out as each an in depth forensic walkthrough and a sensible lab information, making it a helpful useful resource for reverse engineers confronting threats that mix managed code obfuscation with native API exploitation in trendy assault chains.
Increase your SOC and assist your staff defend what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
