The Trojan Horse Inside the Windows Fortress
- Javier Conejo del Cerro
- hace 6 días
- 3 Min. de lectura
Fortresses rarely fall because their walls collapse. They fall because something trusted is allowed inside.
The SHADOW#REACTOR campaign follows this ancient logic: instead of forcing entry, it disguises itself as a harmless object and lets Windows do the rest. Through a carefully engineered, multi-stage attack chain, the malware delivers Remcos RAT, establishing persistent and covert control over compromised systems while evading traditional detection.
Phase 1 – Rolling the Horse to the Gate
The attack begins with social engineering, not exploitation. Victims are lured into executing what appears to be a benign file, often delivered via links embedded in emails or other deceptive prompts.
This initial action triggers an obfuscated Visual Basic Script (win64.vbs) executed using the trusted Windows binary wscript.exe. At this stage, nothing overtly malicious is dropped — the horse is still closed, and the guards let it pass.
Phase 2 – Opening the Gates with Native Tools
Once executed, the VBS launcher invokes a Base64-encoded PowerShell payload, initiating the real intrusion.
PowerShell connects to a remote server and downloads text-only payload fragments (e.g., qpwoe64.txt) into the %TEMP% directory.
To ensure reliability, the malware implements self-healing logic:
It verifies file size and completeness
Re-downloads fragments if corrupted or incomplete
Continues execution even if thresholds are not met, avoiding chain failure
This approach ensures resilience while keeping the payload invisible to signature-based scanners.
Phase 3 – The Soldiers Emerge In Memory
Once validated, the text payload reconstructs a secondary PowerShell script (jdywa.ps1) that loads a .NET Reactor–protected assembly entirely in memory.
This loader:
Decodes subsequent stages without writing binaries to disk
Applies anti-debugging and anti-VM checks
Establishes persistence mechanisms
Retrieves the final Remcos configuration remotely
At this point, the Trojan Horse is fully opened — but no obvious alarm has been triggered.
Phase 4 – Living Off the Land Inside the Fortress
The final execution step abuses another trusted Windows component: MSBuild.exe.
By leveraging this legitimate Microsoft binary as a Living-off-the-Land Binary (LOLBin), the malware launches Remcos RAT while blending into normal system activity.
Additional wrapper scripts are dropped to ensure the VBS launcher can be re-triggered, reinforcing persistence and survivability across reboots.
Phase 5 – Total Control from Within
Once active, Remcos RAT provides attackers with:
Full remote command execution
System profiling and surveillance
Credential access
Delivery of secondary payloads (e.g., miners, loaders)
Long-term covert access to the environment
The campaign appears broad and opportunistic, aligning with initial access broker behavior, where compromised footholds are later sold or reused — though no specific threat group attribution has been confirmed.
Measures to Defend the Fortress
To prevent Trojan-style intrusions like SHADOW#REACTOR, organizations should:
Restrict or disable VBS execution where not explicitly required
Constrain PowerShell usage with Constrained Language Mode and logging
Monitor and alert on MSBuild.exe abuse, especially outside development contexts
Detect in-memory execution patterns, not just file-based malware
Block script-based initial access vectors via email and web filtering
Apply least privilege, limiting admin rights that enable deeper persistence
Use behavior-based EDR capable of correlating LOLBin misuse and staged loaders
SHADOW#REACTOR doesn’t rely on zero-days or exotic exploits.
Its strength lies in abusing trust — trust in scripts, trust in native binaries, trust in familiar Windows processes.
Like the Trojan Horse, the malware is welcomed inside because it looks legitimate. By the time its purpose is revealed, the attackers are already in control.
Modern defense is no longer about building higher walls — it’s about questioning what is allowed to pass through the gate.
The Hacker News
Comentarios