Full Report
Table of Content: Introduction Infection Chain Process Tree Campaign 1: – Persistence – BATCH files – PowerShell script – Loader – Xworm/Remcos Campaign 2 Conclusion IOCS Detections MITRE ATTACK TTPs Introduction: Recent threat campaigns have revealed an evolving use of BAT-based loaders to deliver Remote Access Trojans, including XWorm and Remcos. These campaigns often begin […] The post Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Tool/Technique: XWorm and Remcos RATs (Delivered via BAT Loader)
## Overview
This summary details a malware campaign utilizing highly obfuscated Batch (BAT) scripts, often delivered via email attachments (.EML) or downloaded from Content Delivery Networks (CDNs) like ImageKit, to ultimately deploy Remote Access Trojans (RATs), specifically XWorm and Remcos. The execution leverages fileless techniques via PowerShell to inject payloads directly into memory.
## Technical Details
- Type: Malware Family (RATs) & Execution Framework (BAT/PowerShell Loader)
- Platform: Windows
- Capabilities: Remote Administration, Keylogging, Data Exfiltration, Fileless Execution via Memory Injection.
- First Seen: Article dated 11 September 2025 (Contextual date from the source).
## MITRE ATT&CK Mapping
The primary focus is on the loader and execution chain:
- [T1189 - Drive-by Compromise] (Implied by SVG/Phishing vector)
- [T1204 - User Execution]
- [T1204.002 - Malicious File]
- [T1059 - Command and Scripting Interpreter]
- [T1059.003 - Windows Command Shell] (For BAT script execution)
- [T1059.001 - PowerShell]
- [T1027 - Obfuscated Files or Information]
- [T1140 - Deobfuscate/Decode Files or Information]
- [T1055 - Process Injection]
- [T1055.012 - .NET Assembly Injection]
- [T1547 - Boot or Logon Autostart Execution]
- [T1547.001 - Registry Run Keys / Startup Folder] (For persistence)
- [T1071 - Application Layer Protocol]
- [T1071.001 - Web Protocols] (Implied C2 within RATs)
- [T1219 - Remote Access Software] (Core capability of XWorm/Remcos)
- [T1056 - Input Capture]
- [T1056.001 - Input Capture: Keylogging] (XWorm feature)
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities (Loader & Execution)
- **Initial Delivery:** Delivered via ZIP archives, EML attachments, or linked from CDNs/SVG files embedding malicious JavaScript.
- **Obfuscation:** BAT scripts are heavily obfuscated, using Base64 encoding and encryption layers within comments to evade static analysis.
- **Fileless Execution:** PowerShell is used to decode and execute payloads directly in memory (`iex`), avoiding writing final malicious executables to disk (except for the initial BAT/loader script).
- **Security Control Disabling:** The PowerShell stage actively disables AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) using .NET reflection to patch native functions like `AmsiInitialize`.
### Advanced Features (RAT Payloads - XWorm/Remcos)
- **Remote Access:** XWorm provides full remote access and control capabilities.
- **Credential Theft:** Includes keylogging functionality (`T1056.001`) to steal user credentials.
- **Data Exfiltration:** Stolen information can be exfiltrated over the established Command and Control channel (`T1041`).
- **Persistence:** Established by creating malicious BAT files within the Windows Startup folder.
## Indicators of Compromise
- File Hashes:
- BAT: `EDA018A9D51F3B09C20E88A15F630DF5`
- Malicious JS: `23E30938E00F89BF345C9C1E58A6CC1D`
- LOADER: `1CE36351D7175E9244209AE0D42759D9`
- XWORM Payloads: `EC04BC20CA447556C3BDCFCBF6662C60`
- REMCOS Payloads: `D439CB98CF44D359C6ABCDDDB6E85454`
- File Names: Malicious BAT scripts, script named `aoc.bat` in the user profile directory.
- Registry Keys: Persistence established via the Windows Startup folder mechanism (implied auto-run key creation/use).
- Network Indicators: (None explicitly named/defanged in the provided IOCs section, only C2 capabilities mentioned for the RATs).
- Behavioral Indicators: Execution of PowerShell with arguments utilizing `-nop`, `-w hidden`, and `iex`; process dynamically resolving Windows APIs (`GetProcAddress`, `VirtualProtect`) via .NET reflection.
## Associated Threat Actors
Threat actors utilizing evolving BAT-based loaders to deliver XWorm and Remcos (Specific named groups were not mentioned in the provided text snippet).
## Detection Methods
- Signature-based detection:
- Trojan.LoaderCiR
- Trojan.GenericFC.S29960909
- Behavioral detection: Monitoring for PowerShell execution that downloads content, executes from memory (`iex`), or attempts to dynamically resolve system APIs or patch security interfaces (AMSI/ETW).
- YARA rules: Not explicitly provided.
## Mitigation Strategies
- **User Awareness:** Educating users about suspicious email attachments (.EML), unexpected ZIP files, and distrusting content originating from benign-looking platforms (CDNs).
- **Content Inspection:** Implementing advanced email and web gateway inspection capable of analyzing JavaScript embedded within non-traditional containers like SVGs.
- **Endpoint Hardening:** Enable and ensure AMSI and ETW logging/monitoring remain active; utilize Endpoint Detection and Response (EDR) capable of detecting behavioral anomalies such as script disabling attempts via .NET reflection.
## Related Tools/Techniques
- XWorm (RAT)
- Remcos (RAT)
- Fileless execution via PowerShell/Reflective DLL loading techniques.
- Delivery via SVG embedded JavaScript.