Security researchers detail SHADOW#REACTOR campaign using evasive techniques to deploy Remcos RAT via PowerShell loaders and living-off-the-land binaries.
Security researchers have uncovered a new malware campaign deploying Remcos RAT through an intricate multi-stage attack chain targeting Windows systems. Dubbed SHADOW#REACTOR, this operation employs sophisticated evasion techniques to bypass security controls and establish persistent remote access.
Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe the campaign's tightly orchestrated execution: "An obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host. These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly."
Evasion-Focused Attack Chain
The infection begins when a user interacts with a malicious link, typically delivered through phishing emails. This triggers an obfuscated VBS script (win64.vbs) that launches a Base64-encoded PowerShell payload. The script then downloads fragmented text files (qpwoe64.txt or qpwoe32.txt) that function as stagers:
- Resilient Payload Retrieval: The PowerShell script implements a self-healing loop that verifies file size thresholds. If fragments are incomplete, it pauses execution and re-downloads content rather than failing outright.
- Memory-Based Reconstruction: Fragments assemble a secondary PowerShell script (jdywa.ps1) that loads a .NET Reactor-protected assembly performing anti-debugging and anti-VM checks.
- Living-off-the-Land Execution: The final stage leverages MSBuild.exe (a legitimate Microsoft binary) to deploy Remcos RAT while avoiding process-based detection.
Enterprise Targeting and Defense Strategies
The campaign primarily targets enterprise and SMB environments, with tooling suggesting initial access broker involvement. Researchers note the framework's modular design enables payload portability and resilience against static analysis.
To defend against such attacks:
- Restrict Script Execution: Implement application control policies limiting wscript.exe and PowerShell usage
- Monitor LOLBin Activity: Establish behavioral monitoring for MSBuild.exe spawning unusual child processes
- Segment Networks: Isolate critical systems to contain potential lateral movement
- Conduct Phishing Drills: Train staff to recognize social engineering lures delivering initial scripts
- Deploy Memory Analysis: Use endpoint solutions capable of detecting in-memory payload assembly
Securonix concludes: "The combination of text-only intermediates, in-memory .NET Reactor loaders, and LOLBin abuse reflects a deliberate strategy to frustrate antivirus signatures, sandboxes, and rapid analyst triage." Organizations should prioritize detection of multi-stage script sequences and anomalous MSBuild activity.
Comments
Please log in or register to join the discussion