Working shellcode solely in reminiscence
As soon as the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded information–one is a shellcode loader, the opposite a PE file (Remcos RAT).
To run this solely in reminiscence, the script depends closely on native Home windows API features, equivalent to VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed through PowerShell’s potential to interface with unmanaged code.
Moreover, to remain beneath the radar, the malware takes a sneakier route: as a substitute of brazenly itemizing the Home windows instruments (APIs) it plans to make use of, it hunts them down in reminiscence on the fly. This trick, generally known as “strolling the method setting block (PEB),” helps it escape scanners that search for apparent clues, like identified file names or operate calls.
“This loader re-frames Remcos as an ephemeral plug-in somewhat than a resident implant,” Soroko added. “By shifting each stage of the tool-chain into transient reminiscence and dissolving the loader itself as soon as the session ends, the operators make forensic artifacts practically as disposable because the lure ZIP.”
