Malware News PointWild Threat Research: Phishing to Full Compromise — Dissecting a Fileless Remcos RAT Campaign and C2-Delivered Payloads.

[Khushal]

Content source

https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/

Point Wild reports that attackers deployed multi-stage Remcos RAT with C2-delivered payloads to achieve inbox-to-intrusion gains within networks.

Modern malware campaigns are no longer defined by a single file dropped onto disk; They are carefully orchestrated, multi-stage intrusions engineered for stealth, evasion, and persistence. This analysis uncovers a sophisticated fileless Remcos RAT attack chain that begins with a socially engineered phishing email and rapidly escalates into a fully in-memory compromise, leveraging native Windows components to evade conventional detection mechanisms.

The attack chain is initiated through a phishing email containing a ZIP attachment disguised as a legitimate business document. Upon execution, an obfuscated JavaScript dropper establishes the initial foothold and retrieves a remote PowerShell script, which acts as a reflective loader. This loader employs multiple layers of obfuscation, including Base64 encoding, Raw Binary manipulation, and rotational XOR encryption, to reconstruct and execute a .NET payload entirely in memory. By eliminating reliance on disk-based artifacts, the malware significantly reduces its detection surface while maintaining full control over the infected system.

A defining characteristic of this campaign is its abuse of trusted system binaries, specifically aspnet_compiler.exe, as a Living-off-the-Land Binary (LOLBin) to proxy malicious execution under the guise of legitimate processes. The final payload is not statically embedded but retrieved dynamically from a remote Command-and-Control (C2) server, enabling flexible payload delivery and further complicating detection. This layered execution flow( phishing → JavaScript dropper → PowerShell reflective loading → network-delivered) payload demonstrates how attackers combine scripting environments, obfuscation, and legitimate tools to operate covertly.

Notably, the use of encoded PowerShell (Base64/ASCII) alongside aspnet_compiler.exe for in-memory execution aligns with techniques observed in prior Remcos campaigns, reinforcing the reuse and evolution of proven attacker tradecraft. This campaign highlights the increasing sophistication of multi-stage, obfuscated, and fileless malware, where attackers rely on trusted binaries and encrypted execution chains to bypass security defenses.

From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network | Point Wild

www.pointwild.com

 

[Parkinsond]

The attack chain is initiated through a phishing email containing a ZIP attachment disguised as a legitimate business document. Upon execution, an obfuscated JavaScript dropper establishes the initial foothold and retrieves a remote PowerShell script, which acts as a reflective loader.

"Upon execution" refers to extraction of the ZIP file or opening of the document file inside?

 

[ForgottenSeer 123960]

Executive Summary
This incident involves a multi-stage infection chain initiating from a phishing email that deploys a Remcos RAT variant entirely in memory.

Confirmed Facts
Include the use of an obfuscated JavaScript dropper, PowerShell execution policy bypass, and the abuse of aspnet_compiler.exe to proxy network traffic to 192[.]3[.]27[.]141[:]8087.

Assessment
Indicates a highly evasive methodology designed to minimize disk artifacts, with the ultimate objective of remote control and data exfiltration via keystroke logging.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1566.001
(Phishing: Spearphishing Attachment)

T1059.005
(Command and Scripting Interpreter: Visual Basic / JS)

T1059.001
(Command and Scripting Interpreter: PowerShell)

T1620
(Reflective Code Loading)

T1218.004
(System Binary Proxy Execution: InstallUtil/LOLBins)

CVE Profile
N/A [CISA KEV Status: Inactive].
This attack leverages native OS functionality and configuration weaknesses rather than exploiting specific software vulnerabilities.

Telemetry

Hashes (MD5)
75b7ed9f524cdb1c6f044864c4d3353c
(.eml)

a739d0c4821d2bc1b8a226a5d8846c28
(ZIP)

a5c70d896526146238a15a93dfdb2f97
(JS Dropper).

IPs/Domains hxxps://almacensantangel[.]com/ENCRYPT[.]Ps1, 192[.]3[.]27[.]141[:]8087.

Registry Keys
Unknown (Insufficient Evidence in source text).

Artifacts
C:\ProgramData\remcos\logs.dat.

Constraint
The structure of the Base64-encoded blob suggests a compiled .NET binary (ALTERNATE.dll), which acts as an initial loader before delivering the final MPRESS-packed payload.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate Incident Response protocols for a confirmed RAT compromise; notify internal stakeholders of potential data exfiltration (keystroke logging).

DETECT (DE) – Monitoring & Analysis

Command
Query EDR and SIEM for outbound connections from aspnet_compiler.exe to external IP 192.3.27[.]141 on port 8087.

Command
Hunt for file creation events matching C:\ProgramData\remcos\logs.dat.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected endpoints (e.g., DESKTOP-LHEVM3U) from the enterprise network immediately.

Command
Terminate anomalous aspnet_compiler.exe processes and block the identified C2 IP at the perimeter firewall.

RECOVER (RC) – Restoration & Trust

Command
Reimage compromised endpoints, as in-memory execution and secondary payload delivery severely undermine trust in the current OS state.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict Windows Script Host (WSH) execution for .js and .vbs files via GPO.

Command
Enforce strict PowerShell Constrained Language Mode and AppLocker policies to prevent unauthorized script execution and LOLBin abuse.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately to sever the active connection with the remote attacker.

Command
Do not log into banking/email until verified clean, as the presence of logs.dat confirms active keystroke logging.

Priority 2: Identity

Command
Reset all sensitive passwords and ensure MFA is enabled using a known clean device (e.g., your smartphone on a cellular 5G network).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for suspicious entries. If the machine cannot be reliably cleaned using reputable anti-malware tools, a full system reset (reinstalling Windows) is recommended.

Hardening & References

Baseline
Implement CIS Benchmarks for Windows OS, specifically focusing on disabling default script execution associations (e.g., associating .js files with Notepad rather than WScript).

Framework
NIST CSF 2.0 (PR.PS-01: Configuration Management; DE.CM-01: Network Monitoring).

Security Posture
Fileless threats bypassing disk inspections heavily rely on initial execution vectors. Hardening the email gateway against script files embedded in .zip archives is a mathematically proven (P(Detection)∝Filter Strictness) method to reduce the attack surface.

Source

PointWild Threat Intelligence

 

[Halp2001]

Great technical breakdown. For home users, the most important takeaway is that these attacks almost always start with a simple phishing email.

What makes this "fileless" threat tricky is that it runs entirely in your computer's memory instead of saving files to the hard drive. It’s like a ghost in the system that's harder for basic scanners to spot.

A good rule of thumb for staying safe:

• Never open unexpected attachments: Especially ZIP or JS files from unknown senders.
• Enable Real-Time Protection: Since the malware doesn't "touch" the disk, you need an antivirus that monitors active memory.
• Keep Windows updated: Security patches are designed to block the "living-off-the-land" tools this RAT tries to abuse.

Prevention is key—if you don't click the link or open the ZIP, the "fileless" ghost never gets in.