Hacker's Magic: How Attackers Turn Ordinary Text into a Virus Right in Your Computer's Memory
We explore the SHADOW#REACTOR attack, which leaves no trace behind.
We explore the SHADOW#REACTOR attack, which leaves no trace behind.
Attackers have launched a new campaign using a multi-stage infection scheme aimed at delivering Remcos RAT malware—a remote management tool that allows covert control of a compromised device. Security researchers at Securonix, who discovered the attack, gave it the codename SHADOW#REACTOR. It is notable for its combination of stealthy delivery mechanisms and a persistent evasion scheme.
The infection scenario is built on the sequential execution of several components, each disguised and interacting with other links in the chain. It all starts with the launch of a hidden Visual Basic script, executed via the standard Windows system component—wscript.exe.
This script activates a PowerShell loader, which contacts an external server for parts of the payload delivered as plain text. The segments are merged in memory and transformed into an encoded loader. This loader is then executed via a protected .NET-based component and is used to retrieve the configuration for Remcos RAT from a remote resource.
The final stage employs the legitimate system tool MSBuild.exe, known as a popular LOLBin (Living-Off-the-Land Binary), allowing it to bypass security mechanisms by leveraging the operating system's own built-in tools. As a result, all malware components are deployed on the system without the need to save executable files in plain sight.
According to experts, this attacking campaign is not highly targeted; rather, it appears to follow a mass and opportunistic approach. The primary targets are corporate networks and the infrastructure of small and medium-sized businesses. The tactics used in the attack are characteristic of so-called initial access brokers, who specialize in establishing persistent footholds and subsequently selling them to other criminal groups. At the same time, no signs linking it to known threat groups have been identified.
A distinctive feature of this scheme is its reliance on intermediate text files and the reuse of PowerShell scripts to build loaders directly in RAM. This complicates the analysis and detection process. The components are protected using the .NET Reactor mechanism, which further hinders the study of the malicious code.
The initial script triggers the chain after, presumably, user interaction with a malicious link. After downloading a text file to the system's temporary directory, a PowerShell script checks its size and integrity. If the data is incomplete, the process is paused and a re-download is initiated. This check helps avoid execution interruptions due to incomplete or corrupted files, making the entire scheme more resilient.
If the conditions are met, the next PowerShell script is formed. It is responsible for invoking the .NET loader, retrieving the next stage of malware, and performing checks for the presence of a virtual environment or debugger. This approach allows the malware to remain undetected for longer.
Additionally, during the attack, auxiliary scripts are added, responsible for restarting the initial component and maintaining control over the system. According to specialists, the authors of the scheme have intentionally built a modular infrastructure, making the payload flexible, difficult to classify, and less vulnerable to static analysis.
The SHADOW#REACTOR campaign demonstrates a high degree of sophistication: from leveraging built-in Windows tools to constantly monitoring the correct execution of each stage. This makes it a serious threat to organizations, especially in environments with insufficient endpoint protection.
