Cybersecurity researchers have revealed details of a new campaign called “SHADOW#REACTOR.” The campaign utilizes an evasive multi-stage attack chain to distribute a commercially available remote administration tool called Remcos RAT to establish persistent and covert remote access.
“The infection chain follows a tightly tailored execution path: an obfuscated VBS launcher running via wscript.exe calls a PowerShell downloader to retrieve a fragmented text-based payload from a remote host,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a technical report shared with The Hacker News.
“These fragments are reassembled into encoded loaders, decoded in memory by .NET Reactor-protected assemblies, and used to fetch and apply remote Remcos configurations. The final stage leverages MSBuild.exe as a resident binary (LOLBin) to complete execution. The Remcos RAT backdoor is then fully deployed to take control of the compromised system.”
This activity is characterized as widespread and opportunistic, and is primarily targeted at corporate and small business environments. This tool and trade craft works with typical early access brokers who gain a foothold in a target environment and sell it to other actors for financial gain. However, there is no evidence that it is from any known threat group.
The most unusual aspect of this campaign is its reliance on a text-only intermediate stager, combined with the use of a reflective loader secured with PowerShell and .NET Reactor for in-memory reconstruction, to deploy subsequent phases of the attack, with the aim of complicating detection and analysis efforts.
The infection sequence begins by retrieving and executing an obfuscated Visual Basic script (‘win64.vbs’). This script can be triggered by user interaction, such as clicking a link delivered via a socially engineered lure. This script is executed using ‘wscript.exe’ and acts as a lightweight launcher for Base64 encoded PowerShell payloads.
The PowerShell script then uses System.Net.WebClient to communicate with the same server used to fetch the VBS file and drop a text-based payload named “qpwoe64.txt” (or “qpwoe32.txt” on 32-bit systems) into the machine’s %TEMP% directory.
“The script then enters a loop that verifies the existence and size of the file,” Securonix explained. “If the file is not found or is below the configured length threshold (minLength), the stager pauses the execution and re-downloads the content. If the threshold is not met within the defined timeout window (maxWait), the execution continues without terminating, preventing chain failure.”
“This mechanism ensures that incomplete or corrupted payload fragments do not immediately interrupt execution, strengthening the campaign’s self-healing design.”
If the text file meets the relevant criteria, it will start building a second secondary PowerShell script (‘jdywa.ps1’) in the %TEMP% directory. This launches the .NET Reactor Loader, which is responsible for establishing persistence, retrieving the next stage of the malware, and incorporating various anti-debug and anti-VM checks to covertly.
The loader eventually launches the Remcos RAT malware on the compromised host using the legitimate Microsoft Windows process ‘MSBuild.exe’. The attack also drops an execution wrapper script that uses ‘wscript.exe’ to retrigger the execution of ‘win64.vbs’.
“Taken together, these behaviors indicate the existence of an actively maintained, modular loader framework designed to keep Remcos payloads portable, resilient, and difficult to classify statically,” the researchers said. “The combination of text-only intermediate files, in-memory .NET Reactor loader, and LOLBin exploitation reflects a deliberate strategy to prevent rapid triage by antivirus signatures, sandboxing, and analysts.”
Source link
