LNK Trojan delivers REMCOS

SUMMARY :

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chain involves file download, Base64 decoding, and execution of a malicious PIF file masquerading as a Chrome-related program. The LNK file contains a PowerShell command that downloads and executes a payload, which is then decoded and run as CHROME.PIF. This file is identified as the REMCOS backdoor, capable of various malicious activities including keylogging, screen capture, and remote access. The attack utilizes multiple stages to evade detection and establish persistence on the victim's system.

OPENCTI LABELS :

backdoor,powershell,keylogger,lnk file,remcos,c2 communication,pif file,multi-stage attack,base64 encoding


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


LNK Trojan delivers REMCOS