Running shellcode entirely in memory
Once the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded data–one is a shellcode loader, the other a PE file (Remcos RAT).
To run this entirely in memory, the script relies heavily on native Windows API functions, such as VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed via PowerShell’s ability to interface with unmanaged code.
Additionally, to stay under the radar, the malware takes a sneakier route: instead of openly listing the Windows tools (APIs) it plans to use, it hunts them down in memory on the fly. This trick, known as “walking the process environment block (PEB),” helps it escape scanners that look for obvious clues, like known file names or function calls.
“This loader re-frames Remcos as an ephemeral plug-in rather than a resident implant,” Soroko added. “By shifting every stage of the tool-chain into transient memory and dissolving the loader itself once the session ends, the operators make forensic artifacts nearly as disposable as the lure ZIP.”
