Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are increasingly abusing image-hosting and file-sharing services to deliver malicious payloads concealed inside seemingly harmless PNG and JPEG files. These images carry Base64-encoded DLLs that are extracted by a JavaScript dropper and loaded directly into memory to launch remote access malware such as Remcos RAT. By avoiding obvious on-disk artifacts and relying on fileless execution, the technique can slip past many traditional endpoint defenses. The campaigns often use finance-related themes and target victims through personalized phishing emails.
Investigation
Cofense analyzed a group of phishing emails built around fake purchase order documents that delivered a JavaScript-based dropper. That dropper retrieved a steganographic image from abused domains, decoded a Base64-encoded .NET loader DLL, and injected Remcos RAT into a legitimate process. Campaign statistics showed that 27% of the observed attacks delivered Remcos RAT, while 21% delivered Agent Tesla and 18% delivered XWorm RAT. The report also identified heavily abused hosting platforms, including uploaddeimagens.com.br and archive.org.
Mitigation
Organizations should strengthen email attachment scanning and block execution of untrusted JavaScript files. Monitoring outbound traffic to known image-hosting platforms can help surface the payload delivery stage. Behavioral analytics should also be used to detect process injection and memory-only loading of unsigned DLLs. Defenders should further monitor registry autorun locations and scheduled tasks to identify fileless persistence attempts.
Response
If a malicious steganographic image is suspected, isolate the affected endpoint immediately and collect memory for forensic analysis. Investigators should search for the .NET loader DLL and any legitimate processes that may be hosting injected Remcos components. Unauthorized autorun registry entries and scheduled tasks created by the loader should be removed. Any accounts potentially exposed during the intrusion should undergo a full credential reset.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef malware fill:#ff9999 classDef persistence fill:#ffcc99 classDef privilege fill:#ffb3b3 %% Node definitions action_phishing["<b>Action</b> – <b>T1566.001 Phishing</b><br/>Spearphishing Attachment: attacker sends financeu2011themed email with a malicious JavaScript dropper attachment."] class action_phishing action action_user_execution["<b>Action</b> – <b>T1204.003 User Execution</b><br/>Malicious Image: victim opens the JavaScript dropper which initiates download of a malicious image from a public hosting site."] class action_user_execution action action_steganography["<b>Action</b> – <b>T1027.003 Obfuscated Files or Information</b><br/>Steganography: the downloaded image contains a Base64u2011encoded .NET Loader DLL hidden via steganography."] class action_steganography action action_process_injection["<b>Action</b> – <b>T1055 Process Injection</b><br/>Loader injects the Remcos RAT into the memory of a legitimate process such as explorer.exe."] class action_process_injection action action_privilege_escalation["<b>Action</b> – <b>T1548 Abuse Elevation Control Mechanism</b><br/>Loader escalates privileges to obtain administrator rights before executing the payload."] class action_privilege_escalation privilege persistence_appcert["<b>Persistence</b> – <b>T1546.009 Event Triggered Execution</b><br/>AppCert DLLs: registry entries written to load the malicious DLL at boot (fileless persistence)."] class persistence_appcert persistence persistence_activesetup["<b>Persistence</b> – <b>T1547.014 Boot or Logon Autostart Execution</b><br/>Active Setup: additional autostart registry keys added for persistence."] class persistence_activesetup persistence malware_remcos_rat["<b>Malware</b> – <b>T1219 Remote Access Tool</b><br/>Remcos RAT provides commandu2011andu2011control capabilities for the attacker."] class malware_remcos_rat malware action_lateral_movement["<b>Action</b> – <b>T1021 Remote Services</b><br/>RAT uses remote services to move laterally across the network."] class action_lateral_movement action %% Connections action_phishing –>|delivers| action_user_execution action_user_execution –>|executes| action_steganography action_steganography –>|contains| action_process_injection action_process_injection –>|injects| malware_remcos_rat malware_remcos_rat –>|enables| action_privilege_escalation action_privilege_escalation –>|creates| persistence_appcert persistence_appcert –>|adds| persistence_activesetup malware_remcos_rat –>|facilitates| action_lateral_movement "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
Image File Was Created By Suspicious Process (via file_event)
View
Possible Internet Archive Resolved By Uncommon Process (via dns_query)
View
Detection of DotNET Loader and Remcos RAT via Steganography [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
-
Preparation – Steganographic Payload:
The attacker embeds a compiled Remcos RAT DLL inside a benign JPEG using a custom tool (StegoEmbed.exe). The resulting file (malicious.jpg) carries the malicious payload in its pixel data. -
Delivery – Execution of DotNET Loader:
The attacker executes a .NET‑based loader (dotnet.exe) that references the stego image and includes the argumentLoader. The loader reads the image, extracts the embedded DLL, and loads it directly into memory (in‑memory execution) without writing to disk, thereby achieving privilege escalation via an exploit (T1068). -
Result – RAT Beacon:
Once in memory, the Remcos RAT establishes a network connection to the C2 server.
The critical telemetry generated is a process‑creation event where:
Image(ProcessName) contains DotNET (dotnet.exe).CommandLinecontains the literal word Loader.
This satisfies the Sigma rule’s
selection_dotnet_loader. -
-
Regression Test Script:
# --------------------------------------------------------- # Simulation Script – DotNET Loader with Steganography (T1027.003) # --------------------------------------------------------- # 1. Create a dummy stego image (placeholder – real embed not required) $stegoPath = "$env:TEMPmalicious.jpg" Copy-Item "$env:SystemRootWebWallpaperWindowsimg0.jpg" $stegoPath -Force # 2. Execute the .NET loader with the required flag # Using the legitimate dotnet.exe to mimic the “DotNET” image name. # The argument “Loader” triggers the Sigma rule. $loaderArgs = "`"$stegoPath`" Loader" Write-Host "[*] Launching dotnet loader with argument: $loaderArgs" Start-Process -FilePath "dotnet.exe" -ArgumentList $loaderArgs -NoNewWindow # 3. Wait a short period to ensure the process is captured by Sysmon Start-Sleep -Seconds 5 # 4. OPTIONAL: Simulate RAT beacon (network traffic) – not required for rule test # --------------------------------------------------------- Write-Host "[*] Simulation complete. Verify alert in SIEM." -
Cleanup Commands:
# --------------------------------------------------------- # Cleanup – remove temporary stego image and stop any lingering loader processes # --------------------------------------------------------- $stegoPath = "$env:TEMPmalicious.jpg" # Remove the temporary image if (Test-Path $stegoPath) { Remove-Item $stegoPath -Force Write-Host "[*] Deleted $stegoPath" } # Stop any dotnet processes started by this script (identified by the "Loader" argument) Get-Process -Name dotnet -ErrorAction SilentlyContinue | Where-Object { $_.Path -like "*dotnet.exe*" -and $_.StartInfo.Arguments -match "Loader" } | ForEach-Object { $_.Kill() Write-Host "[*] Terminated process ID $($_.Id)" } # ---------------------------------------------------------