Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A multi-stage malware campaign uses a weaponized ZIP archive containing a VHDX disk image to evade common security controls. After the VHDX is mounted, an obfuscated JavaScript file runs and launches a series of PowerShell stages through WMI. The final payload is Remcos RAT, which is injected into a legitimate Windows process to conceal its execution.
Investigation
The researcher examined a malicious ZIP archive and the embedded VHDX container to reconstruct the full attack flow. The analysis exposed a complex execution chain that used WMI-based process creation to disguise parent-child relationships, along with XOR and Base64 string obfuscation and a reflective .NET loader. The infection path was successfully traced from the initial JavaScript execution through to deployment of the final Remcos payload.
Mitigation
Organizations should apply strict controls to prevent mounting of VHDX disk images from untrusted sources. Security tooling should also monitor suspicious Win32_Process.Create activity triggered by scripting engines such as JavaScript or PowerShell. Blocking known malicious domains and watching for unusual Run key persistence in the registry can further reduce risk.
Response
If this activity is detected, isolate the affected endpoint immediately to stop command-and-control communication. Acquire a memory dump to capture the injected Remcos payload and the reflective .NET loader. A full forensic review should then search for malicious Run key entries, additional VHDX files, and suspicious PowerShell activity elsewhere in the environment.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef connection fill:#f9f9f9 %% Node Definitions %% Initial Access and Execution action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Description: Malicious ZIP archive delivered via email."] class action_phishing action action_user_exec["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Description: User executes the malicious ZIP file."] class action_user_exec action tool_vhdx["<b>Tool</b> – <b>Name</b>: VHDX File<br/>Description: Malware container used to hide the payload via Escape to Host T1611."] class tool_vhdx tool %% Obfuscation and Scripting file_js["<b/>Name</b>: Partnerschaft_fur_neue_Angebotsanfrage.js<br/><b/>Description</b>: Malicious JavaScript file utilizing Command Obfuscation T1027.010 via string pollution and XOR decryption."] class file_js tool action_wmi["<b/>Action</b>: PowerShell via WMI<br/><b/>Description</b>: Launches PowerShell script using WMI to bypass process relationship monitoring."] class action_wmi action %% Ingress and Malware Stages action_ingress_1["<b/>Action</b> – <b/>T1105 Ingress Tool Transfer</b><br/><b/>Description</b>: PowerShell script downloads second stage file."] class action_ingress_1 action file_dsp["<b/>File</b>: Exoticisms121.dsp<br/><b/>Description</b>: Second stage file stored in %APPDATA%."] class file_dsp tool tool_loader["<b/>Tool</b>: Reflective .NET Loader<br/><b/>Description</b>: Executes shellcode from the second stage file."] class tool_loader tool action_ingress_2["<b/>Action</b> – <b/>T1105 Ingress Tool Transfer</b><br/><b/>Description</b>: Shellcode fetches the final Remcos RAT payload."] class action_ingress_2 action malware_remcos["<b/>Malware</b>: Remcos RAT<br/>Description: Final payload established for Command and Control TA0011."] class malware_remcos malware %% Process and C2 process_bg_task["<b/>Process</b>: backgroundTaskHost.exe<br/>Description: Target process for malware injection."] class process_bg_task process c2_server["<b/>C2 Server</b>: animal342.duckdns.org:53562<br/>Description: Remote server for Command and Control communication."] class c2_server tool %% Persistence action_persistence["<b/>Action</b> – <b/>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/>Description: Uses cmd.exe to create registry run keys for the PowerShell loader."] class action_persistence action %% Connections action_phishing –>|leads_to| action_user_exec action_user_exec –>|reveals| tool_vhdx tool_vhdx –>|contains| file_js file_js –>|executes via WMI| action_wmi action_wmi –>|performs| action_ingress_1 action_ingress_1 –>|downloads| file_dsp file_dsp –>|processed by| tool_loader tool_loader –>|performs| action_ingress_2 action_ingress_2 –>|fetches| malware_remcos malware_remcos –>|injects into| process_bg_task malware_remcos –>|communicates with| c2_server malware_remcos –>|ensures| action_persistence "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Virtual Hard Disk File was Created (via file_event)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
PowerShell Reflective .Net Loader and Process Injection Detection [Windows Process Creation]
View
PowerShell Script Execution via WMI for EDR Evasion [Windows Powershell]
View
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to execute a malicious payload in memory to avoid detection by traditional AV. They utilize a PowerShell script that leverages
[System.Reflection.Assembly]::Load()to pull a compiled .NET DLL directly from a byte array into the current process. To maintain persistence and evade scrutiny, they attempt to spawn or interact withbackgroundTaskHost.exe, a legitimate Windows process, to hide their execution thread within a standard system background task. -
Regression Test Script:
# Simulation Script: Reflective .NET Load & Process Interaction # This script mimics the logic captured by the detection rule. # 1. Create a dummy byte array representing a .NET Assembly (highly simplified for simulation) $assemblyBytes = [byte[]](0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00) # Mimics MZ header Write-Host "[+] Attempting Reflective .NET Assembly Load..." -ForegroundColor Cyan try { # This specific string is a target for the detection rule $assembly = [System.Reflection.Assembly]::Load($assemblyBytes) Write-Host "[!] Success: Assembly loaded into memory (Simulation only)." -ForegroundColor Green } catch { Write-Host "[-] Assembly load failed (expected due to invalid dummy bytes), but the command was sent." -ForegroundColor Yellow } Write-Host "[+] Attempting to invoke backgroundTaskHost.exe to trigger detection..." -ForegroundColor Cyan # This specific string is a target for the detection rule Start-Process "C:WindowsSystem32backgroundTaskHost.exe" -ArgumentList "/test-detection" -
Cleanup Commands:
# Cleanup: Terminate the spawned backgroundTaskHost process Stop-Process -Name "backgroundTaskHost" -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete. BackgroundTaskHost terminated." -ForegroundColor Green