Run shellcode entirely in memory
Once the obfuscated PowerShell script is executed, it decodes and rebuilds two blocks of basic 64 encoded data – one is the shellCode loader and the other is the PE file (REMCOS RAT).
To run completely in memory, the script relies heavily on native Windows API functions such as VirtualAlloc, Marshal.Copy, and CallwindowProcw, which is the ability to access through PowerShell, which can interact with unmanaged code through PowerShell.
Additionally, to keep the radar, the malware takes a sneaky route: instead of publicly listing the Windows tools (APIs) it plans to use, it captures them into memory at any time. This trick, known as the “Walking Process Environment Block (PEB), helps it escape scanners looking for obvious clues, such as known file names or feature calls.
“The loader reframes REMCO as a brief plug-in, rather than a resident implant,” Soroko added. “By transferring each phase of the toolchain to transient memory and dissolving the loader itself after the session is over, the operator makes forensic artifacts almost as dominant as a decoy zip.”
