Stealth RAT uses a PowerShell loader for fileless attacks

>Threat actors have been spotted using a PowerShell-based shellcode loader to stealthily deploy Remcos RAT, a popular espionage-ready tool in line with a broader shift toward fileless techniques.

As discovered by Qualys, the campaign executes a number of steps to phish an obfuscated .HTA (HTML Application) file that runs layered PowerShell scripts entirely in memory.

“The attackers behind Remcos are evolving their tactics,” said Xiaopeng Zhang, an IPS analyst and security researcher with Fortinet’s Fortiguard Labs. “Instead of exploiting the CVE-2017-0199 vulnerability through malicious Excel attachments, they now use deceptive LNK files disguised with PDF icons to lure victims into executing a malicious HTA file.”

Cybercriminals previously deployed Remcos RAT by exploiting a vulnerability in Microsoft Office that allowed attackers to execute arbitrary code via specially crafted documents, particularly Excel files containing malicious Object Linking and Embedding (OLE) objects.

Use of a PowerShell-based shellcode loader

In the observed attacks, threat actors deployed a PowerShell-based shellcode loader that executes malicious code directly in system memory, bypassing traditional file-based detection.

The infection chain starts with a disguised LNK shortcut phished to a victim’s system, which launches mshta.exe, a legitimate Windows utility, to execute a hidden VBScript. The script downloads and runs a heavily obfuscated PowerShell payload, which reconstructs base64-encoded shellcode into memory.

The LNK shortcut is sent to a victim, contained within a ZIP file, as an attachment masquerading as a tax document, according to a Qualys report.

“Tax season forces enterprises to relax their tightest content-filtering rules so employees can exchange government templates, PDF forms, and yes, zipped LNK shortcuts that many payroll systems still ship by default,” Jason Soroko, senior fellow at Sectigo, told CSO in a comment. “Attackers are exploiting that mandated soft spot. The very policies intended to keep auditors happy become the opening gambit for a fileless breach.”

Running shellcode entirely in memory

Once the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded data–one is a shellcode loader, the other a PE file (Remcos RAT).

To run this entirely in memory, the script relies heavily on native Windows API functions, such as VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed via PowerShell’s ability to interface with unmanaged code.

Additionally, to stay under the radar, the malware takes a sneakier route: instead of openly listing the Windows tools (APIs) it plans to use, it hunts them down in memory on the fly. This trick, known as “walking the process environment block (PEB),” helps it escape scanners that look for obvious clues, like known file names or function calls.

“This loader re-frames Remcos as an ephemeral plug-in rather than a resident implant,” Soroko added. “By shifting every stage of the tool-chain into transient memory and dissolving the loader itself once the session ends, the operators make forensic artifacts nearly as disposable as the lure ZIP.”

PowerShell logging, AMSI monitoring may help

Qualys researchers provided a list of indicators for security teams to set detection against, which included the domain, URL, IP, Zip, and PE names observed in the campaign.

Recommendations include keeping an eye on PowerShell logging, enabling anti-malware scan interface (AMSI) for real-time script scanning, and ensuring a robust EDR setup. “The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures,” said J Stephen Kowski, field CTO at Pleasanton. “Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors.”