Ddos 
Attack Flow | Image: Lat61
A sophisticated and carefully orchestrated malware campaign has been uncovered, marking a significant evolution in how attackers bypass traditional security controls. The analysis, conducted by the Lat61 Threat Intelligence Team, details a fileless Remcos RAT infection that transitions from a simple phishing lure to a full, in-memory system compromise.
The attack begins with a classic social engineering tactic: a phishing email. The message, often masquerading as an urgent business document from a legitimate-looking source, contains a ZIP attachment with a name designed to evade suspicion—”MV MERKET COOPER SPECIFICATION.zip”.
Inside this archive lies the true threat: an obfuscated JavaScript dropper. As the Lat61 researchers explain:
“The extracted JavaScript file is heavily obfuscated, using string-mapping functions and encoded arrays to conceal its true behavior. This technique hides critical indicators such as URLs, commands, and object names, making static analysis difficult”.
Once executed, the JavaScript initiates a connection to a remote server to download “ENCRYPT.Ps1,” a PowerShell script that serves as a reflective loader. This loader is the engine of the “fileless” nature of the attack, employing multiple layers of encryption—including Base64 and rotational XOR—to reconstruct the final payload entirely in memory.
By bypassing the need to write malicious files to the disk, the attackers significantly reduce their “detection surface”. The script even includes an execution guard that waits for a specific system process to be absent before triggering the payload.
One of the most defining characteristics of this campaign is its use of a Living-off-the-Land Binary (LOLBin). Specifically, the malware hijacks a legitimate Microsoft utility, aspnet_compiler.exe, to proxy its malicious execution.
This allows the malware to “blend in” with routine system activity. Lat61’s network analysis confirmed that this trusted process was the one initiating outbound communication to a remote command-and-control (C2) server at 192[.]3[.]27[.]141[:]8087.
The final payload, identified as a compiled .NET Portable Executable (PE), grants attackers full remote control over the infected host. Remcos RAT is a powerful tool used for:
- System Surveillance: Capturing keystrokes, screen screenshots, and audio logs.
- Credential Theft: Harvesting usernames and passwords from popular web browsers.
- Data Exfiltration: Actively staging collected data in files like C:\ProgramData\remcos\logs.dat for retrieval.
The Lat61 analysis concludes that this campaign highlights a broader shift toward “multi-stage, obfuscated, and fileless malware”. To defend against such threats, organizations are urged to monitor for unusual PowerShell execution patterns—especially those involving execution policy bypass flags—and to implement behavior-based detection that can identify the misuse of trusted system utilities.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
