Hackers Deliver Remcos Malware Via .pif Files and UAC Bypass in Windows

A sophisticated phishing campaign has emerged, distributing the notorious Remcos Remote Access Trojan (RAT) through the DBatLoader malware.

This attack chain, analyzed in ANY.RUN’s Interactive Sandbox, leverages a combination of User Account Control (UAC) bypass techniques, obfuscated scripts, Living Off the Land Binaries (LOLBAS) abuse, and persistence mechanisms to infiltrate systems undetected.

The campaign begins with a phishing email containing an archive, inside which lies a malicious executable named “FAKTURA.”

Once executed, this file deploys DBatLoader, setting the stage for a multi-layered assault on Windows systems.

What makes this attack particularly insidious is its use of outdated .pif (Program Information File) files, originally designed for configuring DOS-based programs in early Windows versions.

While obsolete for legitimate purposes, .pif files remain executable on modern Windows systems, allowing attackers to disguise their malicious payloads and execute them without triggering typical warning dialogs.

UAC Bypass and Evasion Tactics Unveiled

Delving deeper ...