The End of the Static Era: Trellix Uncovers Fully Fileless Remcos RAT Campaign
Ddos 
Infection chain | Image: Trellix
In the ever-evolving arms race between hackers and defenders, the “static” era is officially over. A new report from Trellix detailers a sophisticated Remcos RAT campaign that has completely abandoned traditional file-dropping methods in favor of a stealthy, “fileless” approach that lives entirely in memory.
Traditionally, malware campaigns relied on dropping executable files to a victim’s diskβartifacts that were easily scanned and quarantined. However, modern adversaries have shifted their tradecraft.
As the Trellix report notes:
“Modern adversaries have shifted toward fileless attack techniques, executing payloads directly in memory and abusing trusted system components to evade detection, reduce forensic visibility, and accelerate deployment at scale“.
The Remcos Remote Access Trojan (RAT), once a simple commodity tool, now serves as the payload for a multi-stage infection chain that utilizes layered scripting and process injection to remain invisible.
The attack begins with a classic social engineering lure: a procurement-themed phishing email disguised as a request-for-quotation (RFQ). Tucked inside an archived attachment is a JavaScript downloader.
Instead of installing the RAT immediately, this script acts as a lightweight scout, fetching an AES-encrypted PowerShell payload from the attacker’s server.
Once triggered, the PowerShell loader reconstructs and decrypts a .NET injector assembly directly in memory. This injector then performs a high-level maneuver known as process hollowing against a legitimate Windows utility, aspnet_compiler.exe.
“By creating and hollowing a trusted process, the malware replaces its memory with the final payload while inheriting the target process’s identity“.
Once the final payload is injected, the Remcos RAT goes to work without ever leaving a footprint on the hard drive. Its first task is to dynamically resolve Windows APIs at runtime to ensure it can run on any version of the OS.
The RAT’s power lies in its modularity. Key capabilities identified in this campaign include:
- Single-Instance Enforcement: The malware creates a unique mutex, Rmc-ZOCNDU, to ensure only one instance is running, thereby “reducing operational noise”.
- Environment Profiling: It accurately distinguishes between Windows 10 and 11 by parsing build numbers, ensuring it uses the correct reporting data during C2 registration.
- Offline Buffering: If internet connectivity is lost, the RAT stores keylogging and clipboard data in a local log file at C:\ProgramData\rema\logs.dat for later exfiltration.
The “interactive” phase begins once the RAT establishes a connection to its Command & Control (C2) server. Interestingly, researchers observed that the traffic operates “without transport-layer encryption,” using a custom delimiter-based protocol over raw TCP.
“This exchange marks the transition from local reconnaissance into fully interactive remote access and confirms successful host registration with the C2 infrastructure“.
The Trellix investigation serves as a stark reminder that signature-based security is no longer enough. To combat fileless threats, organizations must adopt memory-centric detection strategies.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
