Cybersecurity experts from the Qualys Threat Research Unit (TRU) have unveiled a sophisticated cyberattack that exploits PowerShell and shortcut files to surreptitiously install Remcos Remote Access Trojan (RAT) on unsuspecting users’ systems. This method allows the malware to operate stealthily, often bypassing traditional antivirus protection as the malicious code runs directly in the computer’s memory, creating minimal traces on the hard drive.
The attack’s vector begins with a user opening a harmful file compressed in a ZIP archive, named new-tax311.ZIP, which includes a shortcut file titled ‘new-tax311.lnk.’ However, clicking this link does not trigger a normal program but instead employs a Windows tool known as ‘mshta.exe’ to execute a deliberately obfuscated PowerShell script, which prepares the device for Remcos RAT infection.
This PowerShell script first attempts to disable Windows Defender’s protective measures by instructing it to ignore the “C:/Users/Public/” folder. It then modifies PowerShell settings to permit unsafe scripts to execute without warnings and covertly changes the Windows Registry to ensure that the Remcos RAT runs every time the computer boots up. The researchers also noted that the script downloads various files, including a seemingly benign file and crucial components necessary for the attack.
Qualys TRU’s analysis highlighted the stealthy nature of the Remcos RAT, which is designed to enable unauthorized remote control of infected computers. This malware can log keystrokes, capture screenshots, and access sensitive user data. In a statement, cybersecurity expert Xiaopeng Zhang emphasized the evolution of tactics among attackers, noting a transition from exploiting vulnerabilities in Excel files to utilizing deceptive LNK files disguised as PDF icons. To combat these threats effectively, experts recommend activating PowerShell logging and implementing robust Endpoint Detection and Response (EDR) solutions.