BURSTA sophisticated new phishing campaign has emerged, leveraging obsolete Windows file formats and advanced evasion techniques to distribute the notorious Remcos Remote Access Trojan.
The attack chain employs DBatLoader as its primary delivery mechanism, utilizing a combination of User Account Control bypass methods, obfuscated scripts, and Living Off the Land Binaries abuse to establish persistent access to compromised systems.
The campaign begins with carefully crafted phishing emails containing malicious archives that house an executable named “FAKTURA,” designed to deploy DBatLoader onto target systems.
This multi-stage attack represents a concerning evolution in malware distribution techniques, as threat actors increasingly exploit legitimate Windows functionalities and outdated file formats to evade modern security solutions.
Any.Run analysts identified this campaign through comprehensive sandbox analysis, revealing the intricate methods employed by the malware to maintain stealth and persistence.
The researchers noted that the attack leverages Program Information Files (.pif), originally designed for configuring DOS-based programs in early Windows systems, as a disguise mechanism for malicious executables.
.webp)
The implications of this campaign extend beyond individual infections, as the techniques demonstrated could be adapted and weaponized by other threat actors.
The sophisticated combination of UAC bypass, process injection, and scheduled task abuse creates a robust infection framework that challenges traditional detection methodologies and requires advanced behavioral analysis for identification.
Infection Mechanism and UAC Bypass Techniques
The core innovation of this campaign lies in its exploitation of .pif files and Windows folder name handling vulnerabilities.
The malicious alpha.pif file, functioning as a Portable Executable, circumvents User Account Control by creating deceptive directories such as “C:\Windows ” with trailing spaces.
.webp)
This technique exploits Windows’s folder name parsing mechanisms, allowing the malware to gain elevated privileges without triggering standard UAC prompts.
The attack employs sophisticated time-based evasion through PING.EXE abuse, executing the command to ping the local loopback address (127.0.0.1) ten times.
While legitimate applications use this for network connectivity testing, DBatLoader repurposes this functionality to introduce artificial delays, helping evade time-sensitive detection systems.
For persistence, the malware establishes a scheduled task that triggers a Cmwdnsyn.url file, which subsequently launches the .pif dropper.
The campaign further employs BatCloak obfuscation for .cmd files and utilizes extrac32.exe to manipulate Windows Defender exclusion lists.
Once deployed, Remcos injects itself into trusted system processes including SndVol.exe and colorcpl.exe, varying its target processes across instances to blend seamlessly with legitimate system operations.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Hackers Use .PIF Files and UAC Bypass to Drop Remcos Malware on Windows appeared first on Cyber Security News.