Protect Your PowerShell from Fileless Attacks Caused by Remcos RAT Malware

Protect Your PowerShell from Fileless Attacks Caused by Remcos RAT Malware

Windows users need to maintain a vigilant stance against the Remcos Remote Access Trojan (RAT).This sophisticated malware employs stealthy techniques to infiltrate systems via phishing attacks, eliminating the need for any downloads. A single ill-advised click on a malicious ZIP file, and the RAT is activated, executing HTML applications through PowerShell. Once inside, it can take over systems, capture screenshots, log keystrokes, and gain full control.

This guide aims to provide practical measures to secure your PowerShell against the Remcos RAT and other similar fileless malware attacks.

Understanding Remcos RAT: The Threat Landscape

The Remcos RAT attack method is worryingly straightforward. According to Qualys, victims receive ZIP files containing LNK files—Windows shortcuts camouflaged as documents. Currently, scammers exploit tax-themed phishing emails, but tomorrow’s threats could adopt any guise to deceive users.

Upon opening the LNK file, mshta.exe (Microsoft HTML Application Host) is triggered, which in turn executes a PowerShell script such as “24.ps1.” This launches a shellcode loader to run the Remcos RAT payload, manipulating your system entirely from memory without leaving traces on disk.

Caution: PowerShell has evolved into a preferred weapon for cybercriminals targeting Window users, leveraging its capacity for executing commands without detection.

Effective Strategies to Block Remcos RAT in PowerShell

Begin by launching PowerShell with administrator privileges. It is crucial to determine if your execution policy currently allows unrestricted or restricted access.

Get-ExecutionPolicy

If your configuration shows “restricted”(the typical default), proceed to the next steps. If it states “unrestricted, ”first revert it back to “restricted”by confirming when prompted.

Set-ExecutionPolicy Restricted

Changing PowerShell execution policy to Restricted.

After establishing a restricted environment, it’s advisable to follow up with the setup of Constrained Language Mode in PowerShell, as recommended by Qualys. This further restricts access to sensitive. NET methods and COM objects potentially exploitable by Remcos RAT and its ilk.

$ExecutionContext. SessionState. LanguageMode = "ConstrainedLanguage"

Make sure this implementation is applied to all users by enforcing the Local Machine scope. Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Restricted -Force

Enforcing Constrained Language Mode in PowerShell.

Next, to advance your defenses, block suspicious command-line arguments within PowerShell. This proactive approach can prevent hidden precursor scripts from executing, such as the HTA file linked to Remcos RAT attacks.

Since Remcos RAT employs PowerShell shellcode, creating a missing registry entry for “PowerShell” and “ScriptBlockLogging” can be essential. Here’s how:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Force New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

Creating registry pathways for PowerShell ScriptBlockLogging.

After setting the “ScriptBlockLogging” command with a value of 1, you’ll effectively prevent Remcos RAT and similar malware from executing shellcode loaders in the PowerShell environment.

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

Next, focus on applying filtering for questionable command-line arguments executed through hidden scripts:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "CommandLineFiltering" -Force Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\CommandLineFiltering" -Name "EnableCommandLineFiltering" -Value 1

Disabling MSHTA.exe: A Key Strategy Against Remcos RAT

Remcos RAT often utilizes mshta.exe, a core Windows application found at C:\Windows\System32. Though typically benign, with the advent of Windows 11 version 24H2, this application is rarely needed anymore and can be safely disabled.

Location of mshta.exe within the System32 directory.

mshta.exe is designed to execute HTML application (HTA) files, which can run VBScript or JavaScript with elevated system privileges. If you’re operating Windows 11 Pro, enter gpedit.msc through the Run command to access the Local Group Policy Editor. Navigate to the following path: Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies.

Accessing

If no policies are pre-existing, you can create one by right-clicking to add a new policy, selecting New Software Restriction Policies. Under Additional Rules, choose to create a New Path Rule.

Creating a New Path rule under

Input C:\Windows\System32\mshta.exe as the path and designate its security level as Disallowed. Subsequently, click Apply and then OK.

For users of Windows 11/10 Home, lacking the Group Policy Editor, you can alternatively use Windows Security. Go to App & Browser Control -> Exploit Protection -> Exploit Protection Settings -> Program Settings. Proceed to click on Add program to customize.

Navigating to Add program for customization in Exploit Protection.

Select the option Choose exact file path to navigate to the mshta.exe file location. Once opened, you will see a pop-up window.

Here, make sure to toggle off all mshta.exe policies that override the default system security measures. If these settings already show as disabled, no further action is needed.

Disabling mshta.exe policy settings in Windows Security.

Additional Security Measures to Keep PowerShell Secure

To bolster your defenses against Remcos RAT and other malicious exploits, consider these additional preventive steps:

  • Regular Updates: Always keep your Windows operating system and applications updated to the latest versions, as patches often address vulnerabilities.
  • Enable Real-time Protection: Make sure your antivirus software, like Microsoft Defender, is always active and in real-time protection mode.
  • Educate Users: Promote training on identifying phishing attempts and the significance of cautious browsing behavior among users who access your systems.
  • Network Monitoring: Employ tools for continuous network monitoring to detect unusual activity that might indicate a RAT infection.
  • Backups: Regularly back up your data to reduce the impact of a potential attack and keep a recovery plan on standby.

By employing these strategies, you can safeguard your PowerShell usage against the Remcos RAT and other emerging threats.

Frequently Asked Questions

1. What is the Remcos RAT and how does it operate?

The Remcos RAT is a remote access Trojan that secretly infiltrates systems via phishing attacks, executing processes without requiring downloads. It operates by exploiting mshta.exe to run PowerShell scripts that can capture sensitive information and control devices.

2. How can I prevent Remcos RAT from accessing my system?

Implement security measures such as setting PowerShell execution policies to restricted, enabling Constrained Language Mode, and disabling mshta.exe. Additionally, keep your system updated and educate users about phishing risks.

3. Is it safe to disable mshta.exe?

Yes, disabling mshta.exe is highly recommended as it is no longer commonly used in modern applications. By disabling it, you significantly reduce the risk of exploitation from malware like Remcos RAT.

Source & Images

Related Articles:

Rumor: Xbox Handheld Device to Feature Custom Low-Power APU from AMD
NVIDIA’s Upcoming “B40” AI Chip for China Market: Projected Shipments Nearing One Million Units This Year

Leave a Reply

Your email address will not be published. Required fields are marked *