Palo Alto Networks has published an extensive malware analysis tutorial detailing the dissection of a sophisticated .NET-based threat that delivers the Remcos remote access trojan (RAT).The malware’s emergence highlights a trend in which threat actors increasingly abuse legitimate development environments and tools—such as the Microsoft .NET runtime—to execute complex, multi-stage infection campaigns.This particular sample demonstrates an elevated level of evasion capability, including managed-to-unmanaged code transitions, runtime API resolution, and process injection against benign executables.The attack chain begins with a seemingly innocuous .NET executable, obfuscated to conceal its intent. This initial loader retrieves an online payload masquerading as a PDF from a compromised Bitbucket repository.Instead of document data, the file contains Donut-generated shellcode designed to execute directly in memory. By avoiding disk writes, the attackers significantly reduce the risk of detection by traditional antivirus engines that rely on static signature scanning.Palo Alto Networks analysts [identified](https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Mega-Malware-Analysis-Tutorial-Featuring-Donut.pdf) the sample during a targeted threat hunting operation and noted its ability to transition execution between different runtime environments, a hallmark of advanced intrusion techniques.Once downloaded, the payload undergoes a simple ASCII-hexadecimal decoding routine to reconstruct the actual shellcode.The loader uses .NET’s interop services to invoke native Windows API calls dynamically, allocating executable memory with VirtualAlloc before copying the decoded payload into it.This combination of obfuscated managed code and late-bound unmanaged calls complicates static analysis, while also bypassing many heuristics that flag suspicious imports.Palo Alto Networks researchers noted that this deliberate API resolution at runtime allowed the attacker to omit sensitive imports from the Portable Executable (PE) header, further evading static detection.From a technical standpoint, the payload’s sophistication is evident when examining the in-memory AMSI and ETW bypass routines. .webp) In-memory AMSI and ETW bypass routines (Source — GitHub)AMSI functions such as `AmsiScanBuffer` are patched directly in memory with instructions that force them to always return `AMSI_RESULT_CLEAN`.A representative snippet illustrates this patching mechanism:- byte[] patch = { 0x33, 0xC0, 0xC2, 0x18, 0x00 }; // xor eax,eax; ret 0x18 Marshal.Copy(patch, 0, amsiScanBufferPtr, patch.Length);This ensures that even if security tools hook these functions, malicious buffers will appear harmless.Similarly, calls to `EtwEventWrite` are replaced with a single `ret` instruction, effectively blinding Event Tracing for Windows, which many endpoint detection products use to correlate malicious behaviors.One of the most technically intriguing aspects of the infection mechanism is its creation of a Common Language Runtime (CLR) instance from unmanaged shellcode. .webp) CLRCreateInstance (Source — GitHub)After disabling defensive hooks, the shellcode uses `CLRCreateInstance` and `ICLRMetaHost::GetRuntime` to spawn a new .NET runtime within the same process, then loads an [obfuscated](https://cybersecuritynews.com/highly-obfuscated-net-sectoprat/) .NET assembly into an `AppDomain`.**Persistence of this execution chain**—————————————The final stage leverages the `_Type.InvokeMember` method to execute a specific entry point method inside that assembly, which in turn spawns `InstallUtil.exe` in a suspended state.The persistence of this execution chain relies heavily on process injection. The malicious assembly writes a decrypted Remcos payload into the suspended process’s memory via multiple `WriteProcessMemory` calls before changing the memory protection back to `PAGE_EXECUTE_READ` with `VirtualProtectEx` and resuming execution.This multi-chunk injection method may help evade memory scanners designed to detect large, contiguous malicious allocations.While the dynamic analysis, conclusively shows the [Remcos RAT](https://cybersecuritynews.com/threats-delivering-remcos/) ASCII banner embedded in the injected executable, confirming the campaign’s end goal. .webp) Remcos RAT ASCII banner (Source — GitHub)By walking readers through every stage from initial obfuscation to final payload activation, Palo Alto Networks’ tutorial not only dissects a live threat but also arms analysts with repeatable techniques for dissecting complex, hybrid-runtime [malware](https://cybersecuritynews.com/chatgpt-powered-malware-analysis/).This release stands out as both a detailed forensic walkthrough and a practical lab guide, making it a valuable resource for reverse engineers confronting threats that blend managed code obfuscation with native API exploitation in modern attack chains.**`Boost your SOC and help your team protect your business with free top-notch threat intelligence: `[Request TI Lookup Premium Trial](https://intelligence.any.run/plans/?utm_source=csn&utm_medium=article&utm_campaign=alert_fatigue&utm_content=lookup_plan&utm_term=120825)`.`**The post [Palo Alto Networks Released A Mega Malware Analysis Tutorials Useful for Every Malware Analyst](https://cybersecuritynews.com/palo-alto-networks-released-a-mega-malware-analysis-tutorials/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Cybersecurity News
Remcos
Impair Defenses: Indicator Blocking
Impair Defenses
Associated Indicators: