Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

This article explores a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in benign 32-bit .NET applications. The malware executes through a multi-stage process of extracting, deobfuscating, loading, and executing secondary payloads. The analysis focuses on a sample from recent malspam campaigns targeting financial organizations in Turkey and logistics sectors in Asia. The malware uses steganography to hide its payloads, making it challenging to detect. The article details the technical analysis of each stage, from the initial payload to the final execution of malware families like Agent Tesla, XLoader, and Remcos RAT. It also provides guidance on how to overcome this obfuscation technique using debugging methods.

This threat involves a sophisticated malware obfuscation technique targeting 32-bit .NET applications by embedding malicious payloads within bitmap resources. The malware is delivered primarily through malspam campaigns and uses steganography to conceal secondary payloads inside seemingly benign bitmap images embedded as resources in legitimate .NET executables. Upon execution, the initial payload extracts these bitmap resources, deobfuscates the hidden data, and dynamically loads and executes secondary malware families such as Agent Tesla, XLoader, and Remcos RAT. These malware families are known for credential theft, remote access capabilities, and information exfiltration. The multi-stage execution chain complicates detection and analysis, as the malicious code is not directly visible in the executable but hidden within image data, evading traditional signature-based detection. The malware also employs various obfuscation and anti-debugging techniques, making static and dynamic analysis challenging. The threat actors behind these campaigns have targeted financial organizations in Turkey and logistics sectors in Asia, indicating a focus on high-value industries with sensitive data. The use of .NET as a platform leverages its widespread adoption in enterprise environments, and the embedding of payloads in bitmap resources is a novel evasion technique that bypasses many conventional security controls. The article referenced provides detailed technical breakdowns of each stage, including debugging methods to overcome the obfuscation and detect the hidden payloads.

Detailed information about Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources. Get real-time updates, technical details, and mitigation strate

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources - Live Threat Intelligence - Threat Radar | OffSeq.com

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.

This threat involves a sophisticated fileless malware attack leveraging PowerShell to load and execute shellcode directly in memory, thereby bypassing traditional file-based detection mechanisms. The attack initiates via malicious LNK shortcut files embedded within ZIP archives, which when opened, trigger mshta.exe to execute the initial payload. The PowerShell-based loader then uses Windows API calls to allocate memory and execute binary code without writing files to disk, significantly enhancing stealth. The payload is a variant of Remcos RAT, a remote access trojan that grants attackers full control over the compromised system. Remcos RAT capabilities include keylogging, screen capture, credential theft, and other espionage functions. It employs advanced evasion techniques such as process hollowing—injecting malicious code into legitimate processes—and User Account Control (UAC) bypass to escalate privileges without user consent. Persistence is achieved through registry modifications, ensuring the malware survives system reboots. Communication with the command and control (C2) server is conducted over encrypted TLS channels, complicating network detection. This attack chain exemplifies modern threat actor tactics that emphasize stealth, memory-resident execution, and multi-layered evasion, making detection and mitigation challenging without behavioral analytics and endpoint detection and response (EDR) solutions capable of monitoring in-memory activities and anomalous process behaviors.

Detailed information about Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT. Get real-time updates, technical details, and mitigation s

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - Live Threat Intelligence - Threat Radar | OffSeq.com

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

Remcos RAT (Remote Access Trojan) is a commercially available malware tool that enables attackers to remotely control infected Windows systems. The campaign identified on 2020-02-28 involves the distribution of Remcos RAT primarily through malspam campaigns leveraging spearphishing attachments (MITRE ATT&CK T1193). The malware employs multiple techniques to evade detection and maintain persistence, including scripting (T1064), registry run keys or startup folder modifications (T1060), timestomping to alter file timestamps (T1099), masquerading as legitimate files or processes (T1036), and indirect command execution (T1202). It also uses uncommonly used ports (T1065) for command and control communications and indicator blocking (T1054) to hinder forensic analysis and detection. Despite its low severity classification in this report, Remcos RAT is a versatile and stealthy tool that can facilitate espionage, data exfiltration, credential theft, and lateral movement within compromised networks. The campaign does not specify affected software versions or known exploits in the wild, indicating that the infection vector relies on social engineering rather than exploiting software vulnerabilities. The threat level is moderate (3/10), with no direct evidence of widespread exploitation but with significant potential for targeted attacks. The lack of CVSS score necessitates an independent severity assessment based on the malware's capabilities and attack techniques.

Detailed information about Remcos RAT 02-28-20. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'remcos rat'

Filter Threats

Threats Tagged 'remcos rat'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility