Remcos RAT Delivered via VHDX File in Multi-Stage Attack Chain Targeting German Speakers
A malicious ZIP archive containing a VHDX file delivers Remcos RAT through a multi-stage JavaScript, WMI, and PowerShell chain, with most payloads remaining undetected by antivirus.
A new malware campaign reported to the SANS Internet Storm Center uses a malicious ZIP archive to deliver the Remcos remote access trojan (RAT) through an elaborate multi-stage infection chain. The archive (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094) contains a VHDX file that, when mounted on modern Windows systems, reveals an obfuscated JavaScript file. The use of a virtual hard disk image as a malware container, while not new, helps the payload evade many first-line security controls.
The JavaScript, named "Partnerschaft_fur_neue_Angebotsanfrage.js" (German for "Partnership for new quotation request"), likely targets German-speaking victims. It employs three stages to ultimately deploy the RAT. In the first stage, the obfuscated JavaScript uses WMI (WbemScripting.SWbemLocator → ConnectServer() → Win32_Process.Create()) to launch a PowerShell script. This technique bypasses EDR solutions and classic detection rules that monitor parent-child process relationships, as the chain JavaScript → WMI → PowerShell appears less suspicious than a direct JavaScript → PowerShell link.
The second-stage PowerShell script reconstructs itself from concatenated strings, removing a "bubble" pollution string during execution. It uses a function called "otidiform" to decrypt Base64-encoded strings with the XOR key "Identificational." This script downloads the next stage from hxxps://cembusconfort[.]ro/Exoticisms121.dsp and saves it to %APPDATA%\Endocoel.Pro. The downloaded file (SHA256:9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1) contains an appended payload that is extracted by carving a substring from offset 143578 with length 20305.
The extracted third stage is a PowerShell reflective .NET loader that uses System.Reflection.Assembly.Load() to execute shellcode. This shellcode fetches the final Remcos RAT payload from hxxps://cembusconfort[.]ro/YoHtJ27.bin and injects it into the legitimate Windows process backgroundTaskHost.exe. The RAT communicates with its command-and-control server at animal342[.]duckdns[.]org:53552 and establishes persistence via a Run registry key that executes the PowerShell loader on system startup.
Remcos is a commercially available remote access trojan that has been widely used by threat actors for surveillance, data theft, and as a foothold for further attacks. The infection chain demonstrates sophisticated evasion techniques, including the use of VHDX containers, WMI-based process creation, and multi-layered obfuscation. Notably, most files in the chain remain undetected by antivirus engines, with the initial JavaScript scoring only 5/57 detections on VirusTotal.
The full infection path is: Email → ZIP → VHDX → JavaScript → PowerShell Decoder → PowerShell (.NET Loader) → Shellcode (Downloader) → Remcos. Organizations should educate users about the risks of opening unsolicited ZIP archives, especially those containing VHDX files, and ensure that EDR solutions are configured to monitor for unusual WMI and PowerShell activity.