Palo Alto Networks has published an extensive malware analysis tutorial detailing the dissection of a sophisticated .NET-based threat that delivers the Remcos remote access trojan (RAT).
The malware’s emergence highlights a trend in which threat actors increasingly abuse legitimate development environments and tools—such as the Microsoft .NET runtime—to execute complex, multi-stage infection campaigns.
This particular sample demonstrates an elevated level of evasion capability, including managed-to-unmanaged code transitions, runtime API resolution, and process injection against benign executables.
The attack chain begins with a seemingly innocuous .NET executable, obfuscated to conceal its intent. This initial loader retrieves an online payload masquerading as a PDF from a compromised Bitbucket repository.
Instead of document data, the file contains Donut-generated shellcode designed to execute directly in memory. By avoiding disk writes, the attackers significantly reduce the risk of detection by traditional antivirus engines that rely on static signature scanning.
Palo Alto Networks analysts identified the sample during a targeted threat hunting operation and noted its ability to transition execution between different runtime environments, a hallmark of advanced intrusion techniques.
Once downloaded, the payload undergoes a simple ASCII-hexadecimal decoding routine to reconstruct the actual shellcode.
The loader uses .NET’s interop services to invoke native Windows API calls dynamically, allocating executable memory with VirtualAlloc before copying the decoded payload into it.
This combination of obfuscated managed code and late-bound unmanaged calls complicates static analysis, while also bypassing many heuristics that flag suspicious imports.
Palo Alto Networks researchers noted that this deliberate API resolution at runtime allowed the attacker to omit sensitive imports from the Portable Executable (PE) header, further evading static detection.
From a technical standpoint, the payload’s sophistication is evident when examining the in-memory AMSI and ETW bypass routines.
In-memory AMSI and ETW bypass routines (Source – GitHub)
AMSI functions such as AmsiScanBuffer are patched directly in memory with instructions that force them to always return AMSI_RESULT_CLEAN.
A representative snippet illustrates this patching mechanism:-
byte[] patch = { 0x33, 0xC0, 0xC2, 0x18, 0x00 }; // xor eax,eax; ret 0x18
Marshal.Copy(patch, 0, amsiScanBufferPtr, patch.Length);
This ensures that even if security tools hook these functions, malicious buffers will appear harmless.
Similarly, calls to EtwEventWrite are replaced with a single ret instruction, effectively blinding Event Tracing for Windows, which many endpoint detection products use to correlate malicious behaviors.
One of the most technically intriguing aspects of the infection mechanism is its creation of a Common Language Runtime (CLR) instance from unmanaged shellcode.
CLRCreateInstance (Source – GitHub)
After disabling defensive hooks, the shellcode uses CLRCreateInstance and ICLRMetaHost::GetRuntime to spawn a new .NET runtime within the same process, then loads an obfuscated .NET assembly into an AppDomain.
Persistence of this execution chain
The final stage leverages the _Type.InvokeMember method to execute a specific entry point method inside that assembly, which in turn spawns InstallUtil.exe in a suspended state.
The persistence of this execution chain relies heavily on process injection. The malicious assembly writes a decrypted Remcos payload into the suspended process’s memory via multiple WriteProcessMemory calls before changing the memory protection back to PAGE_EXECUTE_READ with VirtualProtectEx and resuming execution.
This multi-chunk injection method may help evade memory scanners designed to detect large, contiguous malicious allocations.
While the dynamic analysis, conclusively shows the Remcos RAT ASCII banner embedded in the injected executable, confirming the campaign’s end goal.
Remcos RAT ASCII banner (Source – GitHub)
By walking readers through every stage from initial obfuscation to final payload activation, Palo Alto Networks’ tutorial not only dissects a live threat but also arms analysts with repeatable techniques for dissecting complex, hybrid-runtime malware.
This release stands out as both a detailed forensic walkthrough and a practical lab guide, making it a valuable resource for reverse engineers confronting threats that blend managed code obfuscation with native API exploitation in modern attack chains.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com