Working shellcode solely in reminiscence
As soon as the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded knowledge–one is a shellcode loader, the opposite a PE file (Remcos RAT).
To run this solely in reminiscence, the script depends closely on native Home windows API capabilities, comparable to VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed by way of PowerShell’s potential to interface with unmanaged code.
Moreover, to remain underneath the radar, the malware takes a sneakier route: as a substitute of brazenly itemizing the Home windows instruments (APIs) it plans to make use of, it hunts them down in reminiscence on the fly. This trick, often known as “strolling the method atmosphere block (PEB),” helps it escape scanners that search for apparent clues, like identified file names or perform calls.
“This loader re-frames Remcos as an ephemeral plug-in fairly than a resident implant,” Soroko added. “By shifting each stage of the tool-chain into transient reminiscence and dissolving the loader itself as soon as the session ends, the operators make forensic artifacts practically as disposable because the lure ZIP.”
