Palo Alto Networks has published an extensive malware analysis tutorial detailing the dissection of a sophisticated .NET-based threat that delivers the Remcos remote access trojan (RAT).<\/p>\n
The malware\u2019s emergence highlights a trend in which threat actors increasingly abuse legitimate development environments and tools\u2014such as the Microsoft .NET runtime\u2014to execute complex, multi-stage infection campaigns.<\/p>\n
This particular sample demonstrates an elevated level of evasion capability, including managed-to-unmanaged code transitions, runtime API resolution, and process injection against benign executables.<\/p>\n
The attack chain begins with a seemingly innocuous .NET executable, obfuscated to conceal its intent. This initial loader retrieves an online payload masquerading as a PDF from a compromised Bitbucket repository.<\/p>\n
Instead of document data, the file contains Donut-generated shellcode designed to execute directly in memory. By avoiding disk writes, the attackers significantly reduce the risk of detection by traditional antivirus engines that rely on static signature scanning.<\/p>\n
Palo Alto Networks analysts identified<\/a> the sample during a targeted threat hunting operation and noted its ability to transition execution between different runtime environments, a hallmark of advanced intrusion techniques.<\/p>\n Once downloaded, the payload undergoes a simple ASCII-hexadecimal decoding routine to reconstruct the actual shellcode.<\/p>\n The loader uses .NET\u2019s interop services to invoke native Windows API calls dynamically, allocating executable memory with VirtualAlloc before copying the decoded payload into it.<\/p>\n This combination of obfuscated managed code and late-bound unmanaged calls complicates static analysis, while also bypassing many heuristics that flag suspicious imports.<\/p>\n Palo Alto Networks researchers noted that this deliberate API resolution at runtime allowed the attacker to omit sensitive imports from the Portable Executable (PE) header, further evading static detection.<\/p>\n From a technical standpoint, the payload\u2019s sophistication is evident when examining the in-memory AMSI and ETW bypass routines.<\/p>\n AMSI functions such as A representative snippet illustrates this patching mechanism:-<\/p>\n This ensures that even if security tools hook these functions, malicious buffers will appear harmless.<\/p>\n Similarly, calls to One of the most technically intriguing aspects of the infection mechanism is its creation of a Common Language Runtime (CLR) instance from unmanaged shellcode.<\/p>\n After disabling defensive hooks, the shellcode uses The final stage leverages the The persistence of this execution chain relies heavily on process injection. The malicious assembly writes a decrypted Remcos payload into the suspended process\u2019s memory via multiple This multi-chunk injection method may help evade memory scanners designed to detect large, contiguous malicious allocations.<\/p>\n While the dynamic analysis, conclusively shows the Remcos RAT<\/a> ASCII banner embedded in the injected executable, confirming the campaign\u2019s end goal.<\/p>\n By walking readers through every stage from initial obfuscation to final payload activation, Palo Alto Networks\u2019 tutorial not only dissects a live threat but also arms analysts with repeatable techniques for dissecting complex, hybrid-runtime malware<\/a>.<\/p>\n This release stands out as both a detailed forensic walkthrough and a practical lab guide, making it a valuable resource for reverse engineers confronting threats that blend managed code obfuscation with native API exploitation in modern attack chains.<\/p>\n The post Palo Alto Networks Released A Mega Malware Analysis Tutorials Useful for Every Malware Analyst<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhgmwYHVgThLKzVdHmlHN8eAM5JM3f7ULNECSfPS9Dt1iiduFczJanyIMz-O0-HqGcQ0KvlnT0e0aA_l6okXfIAwn5zSaxIMUDwTfzg9bTtWmFMk6ZLj_OcBjrP58x-PceJZO0biJgqizO2MWvAhOiOASmuMf-pjZzb9_GAA1GZ_No0ti6XQKNkaYyJ-VPa\/s16000\/In-memory%2520AMSI%2520and%2520ETW%2520bypass%2520routines%2520%28Source%2520-%2520GitHub%29.webp?ssl=1\")
AmsiScanBuffer<\/code> are patched directly in memory with instructions that force them to always return AMSI_RESULT_CLEAN<\/code>.<\/p>\nbyte[] patch = { 0x33, 0xC0, 0xC2, 0x18, 0x00 }; \/\/ xor eax,eax; ret 0x18\nMarshal.Copy(patch, 0, amsiScanBufferPtr, patch.Length);<\/code><\/pre>\nEtwEventWrite<\/code> are replaced with a single ret<\/code> instruction, effectively blinding Event Tracing for Windows, which many endpoint detection products use to correlate malicious behaviors.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjJf21k7ROaMZ6awuDb-W6lrKSpWKa4pR1j0PxBY8OauSfLdaDnlvA6_qkW_PzDiKYCdyNfHUgkSEA-LiYFws6PkreD6DAr8pon1ktecbhN0t4FGla9vYE9a11rRFC8IWt3ONpzQSigxEuKYWI-kLCfmUi591qP2V6gBDlLGzpQ8hDO_SWQJzHPiQUadXNj\/s16000\/CLRCreateInstance%2520%28Source%2520-%2520GitHub%29.webp?ssl=1\")
CLRCreateInstance<\/code> and ICLRMetaHost::GetRuntime<\/code> to spawn a new .NET runtime within the same process, then loads an obfuscated<\/a> .NET assembly into an AppDomain<\/code>.<\/p>\nPersistence of this execution chain<\/strong><\/h2>\n
_Type.InvokeMember<\/code> method to execute a specific entry point method inside that assembly, which in turn spawns InstallUtil.exe<\/code> in a suspended state.<\/p>\nWriteProcessMemory<\/code> calls before changing the memory protection back to PAGE_EXECUTE_READ<\/code> with VirtualProtectEx<\/code> and resuming execution.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiRsqnRYaE3dV_yAvJt1IQMy04-YaYQUWcJ9g6xvQZvrdmfdcUM1WZhKIuLHezV0cmvj6-bSYZhvapH6HqCxu0dd2qe2jPZ1OrLms5_LBVF6QOuVsSY7RDUL7F2r4dKBZi73E4Sh8PiU9YEfB20KvTPdkU1ZTUOdqSHbwgoV68AHAPsbA29Uma9y09iVzit\/s16000\/Remcos%2520RAT%2520ASCII%2520banner%2520%28Source%2520-%2520GitHub%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n