Threats Tagged 'process injection'

An investigation revealed a malicious email campaign directing victims to download a ZIP file from MediaFire. The infection chain began with a Python setup executable (Setu.exe) that side-loaded a malicious 400 MB python37.dll containing repeated byte padding. The DLL performed process injection into dllhost.exe, establishing communication with a C2 server at 138.124.186.2:7000. The threat actor deployed three persistence mechanisms: a PowerShell-based path, a fake EdgeUpdate Python executable with scheduled task, and NetSupport RMM as a third access method. The analysis highlights the importance of comparing file timestamps during triage to identify malicious artifacts within compressed archives.

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.