By rssfeeds-admin 
Securonix has published a blog giving details of a new multi-stage Windows malware campaign it calls SHADOW#REACTOR.
The blog is written by three researchers from the Securonix Threat Research team: Akshay Gaikwad, Shikha Sangwan and Aaron Beardslee. It goes into details about the infection chain, saying that “it follows a tightly orchestrated execution path.”
That execution path includes multiple processes and apps used to retrieve components of the malware. Of particular interest is that these components are all fragmented text-based payloads.
SHADOW#REACTOR uses a number of tools and stages, including:
- wscript.exe, which is used to execute an obfuscated VBS launcher
- That invokes a PowerShell downloader to get the text-based components
- These are reconstructed and then decoded in memory by a .NET Reactor-protected assembly
- They then fetch and apply a remote Remcos configuration
- MSBuild.exe is used to complete execution, resulting in the Remcos RAT being fully deployed.
How do you detect it?
The blog details how each stage works, the IP address where the obfuscated VB script is located and the names of files that are used in the initial stage. As with most malware, it relies on users clicking on a link. The researchers say that users should be reminded to be cautious of unexpected files or update prompts. They should also be wary of downloading any documents from the web or untrusted sources.
While these are all steps that organisations regularly mention in end-user security training, regular reminders are always useful.
For IT teams, the process is more prescriptive and should mirror processes that already exist. For example, restrict or monitor execution of VBS, JS and PowerShell scripts. Ensure that EDR solutions are set to detect process chains such as wscript.exe → powershell.exe → msbuild.exe. Using advanced PowerShell and scripting, telemetry, and monitoring for LOLBin abuse is also recommended.
The blog also contains a table giving the MITRE ATT&CK Mapping showing SHADOW#REACTOR behaviours and what should be looked for. There are also queries that can be used to detect potential infections. For network administrators, there are also two IP addresses that are known to be used for C2 and infrastructure.
Finally, there are six Indicators of Compromise (IOCs) with the filenames and associated SHA256 hashes.
Enterprise Times: What does this mean?
The security industry often focuses more on new malware rather than on how it is deployed. In this case, it is not the deployment of the Remcos RAT that is important; it’s the infection chain. Yes, it starts like many others with someone clicking on a link. That will never change. However, the use of text files and then compilation on the infected device sends a message.
That message is simple. Unless you monitor all the tools on end-user devices, you cannot be secure. This includes monitoring all the tools that the OS deploys, not just those downloaded or that come with other apps.
In its analysis, Securonix shows just how easy it is for SHADOW#REACTOR to download, assemble and then compile the malware it wants to deploy. In this case, it is the Remcos RAT, but it could be repurposed for other malware.
For now, using the information at the end of the blog, security, network and IT teams can begin to block this particular campaign. They can also detect infected machines and begin remediation.
This is not the first nor will it be the last time that malicious actors have repurposed Microsoft tools to deploy malware. But the question to ask your security team is what they are doing to monitor and track those tools to prevent this type of attack.
The post Securonix says Windows malware SHADOW#REACTOR drops Remcos RAT appeared first on Enterprise Times.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.