The New Face of Remcos: Path Bypass and Masquerading

Since last year and well into this year, Remcos malware campaigns stayed very active, continually morphing to stay hidden. Attackers usually send phishing emails with malicious files like malicious shortcuts, scripts or documents. 

When a victim opens the file, it quietly drops the Remcos program and hides it in new folders with similar names to legitimate Windows system folders on the PC. Once installed, Remcos lets the attackers control the PC, steal passwords and record keystrokes. The malware keeps a backdoor open by setting up scheduled tasks or other sneaky tricks. This way, they stay on the system for a long time without being detected.

In this recent campaign, a common and effective Remcos malware attack uses hacked real email accounts often from small businesses or schools to avoid being flagged as suspicious. The emails distribute malicious Windows shortcut (LNK) files, typically concealed within compressed archive attachments. These attack chains later facilitate the creation of a spoofed Windows directory by leveraging path-parsing bypass techniques, such as prefixing the path with the NT namespace identifier “\\?\”.

Fig. 1 - Remcos attack chain

Email Analysis

Fig. 2 - Malicious email

Customers are targeted with emails sent from compromised accounts, carrying a .lnk shortcut embedded in a TAR file. 

LNK analysis:
The LNK file contains embedded PowerShell code and a long stream of random data, which increases its file size. The PowerShell script downloads a .dat file containing an EXE in Base64 format, decodes it, and then drops the resulting exe with .pif extension into C:\ProgramData.
 

Fig. 3 - PowerShell code

EXE Analysis:
The EXE is built with the Borland Delphi compiler and has its resources packed. It uses a PDF icon to look like a document, but it’s saved with a .pif extension which is an odd and rarely used shortcut file type.

When the EXE runs, it makes a copy of itself, creates a .URL shortcut file and drops four .cmd batch files to carry out further activity and maintain persistence. These batch files are heavily obfuscated, using special symbols like %% and adds meaningless Arabic or Japanese text. This technique is designed to bypass common antivirus detection methods.

Fig. 4 - Obfuscated .BAT file

When the batch files are deobfuscated, the underlying malicious commands become clear, as detailed in the table below

Dropped .URL shortcut file code:  It is created to be executed via scheduler.

It tries to bypass Windows’ User Account Control (UAC) by changing a registry setting. Normally, UAC shows a secure popup to ask for permission before allowing important actions. It edits the PromptOnSecureDesktop registry value, setting it to 1. This weakens UAC, making the prompt less strict so that it can run with higher privileges without the user seeing the usual secure prompt.

What is \\?\C:\Windows\SysWow64?

“\\?\” is an NT Object Manager path prefix used in the Windows API. It allows access to file and directory paths by bypassing normal path normalization and parsing rules (such as length limits or invalid character checks). This technique is sometimes used by malware to bypass security tools that expect standardized paths. 

SysWOW64 is a legitimate Windows system directory. In this case, the Remcos malware tries to create a spoofed directory named “C:\Windows \SysWOW64” (with an added space) using the “\\?\” prefix. This allows the malware to mimic or ‘masquerade’ as a trusted Windows directory, making it harder for security tools and analysts to detect. By copying itself into this fake path, it significantly increases its chance of evasion and persistence. 

Fig. 5 - Directory created masquerading as "C:\Windows \”

Observed Command:
cmd.exe /c mkdir "\\?\C:\Windows \SysWOW64"

Fig. 6 - File creation attempt log

This main exe (.pif file) then later performs process injection in legitimate windows system file SndVol.exe which is responsible for controlling and adjusting audio volume and settings.

It connects to a C2 server domain hosted on OVHcloud  5y9pfu[.]missileries-fenagle[.]yelocom[.]com using an unusual port 32583 for its communication. 

Fig. 7 - C2 connection via legitimate process

• It checks if the infected computer has an active internet connection.
• It can also look at the system language to guess the victim’s country or region.
• It even checks the country code set in the Windows registry to help target certain areas.

Once it’s fully running, Remcos gives attackers complete control of the PC.
That lets them do harmful things like stealing passwords, taking screenshots, copying important files and more.

Conclusion:

This Remcos campaign shows how malware can hide itself by pretending to be a trusted program. It uses shortcuts, disguised .pif files, and sneaky path tricks like “\\?\” to create fake but convincing Windows folders. By adding spaces and special paths, it masks itself to look like legitimate system files. Once inside, it can run quietly, making it harder for defenders to spot. Remcos malware proves that hackers are getting better at blending seamlessly with everyday files and processes in order to hide its true intentions. To stay safe, it’s important to watch for odd shortcuts, strange paths and subtle folder name changes. In this new era, being alert and looking closer is the best defence.

Protection statement:

Forcepoint customers are protected against this threat at the following stages of attack: 

• Lure – Malicious PDF attachments associated with these attacks are identified and blocked by email security analytics.
• Dropper File - The dropper files are added to Forcepoint malicious database and are blocked.
• Call Home - C2 domains are categorized under the security category and blocked.

IOCs:

URLs:

• siraco[.]net/acheck3.dat

C2:

• 5y9pfu[.]missileries-fenagle[.]yelocom[.]com
   

Hashes:

• 25591e9139b1c93e10ee2f22b86abb6da98785db - TAR
• d14ffa3b95ae110794c1932581a0c3a0030521d4 - LNK
• 647fa7a36ec8d553c7b431acfb74cb55b475fa0e – EXE
• bc7172dec0b12b05f2247bd5e17751eb33474d4e - BAT
• 61fdc4135afdc99e106912aeafeac9c8a967becc - BAT
• 6235b00643e324ac5fea07f9adae9f2a0db56b99- BAT