DUBAI, DUBAI, UNITED ARAB EMIRATES, December 2, 2024 /EINPresswire.com/ -- The cybersecurity team at ANY.RUN has shared an in-depth look at PSLoramyra, an advanced fileless malware loader that uses PowerShell, VBS, and BAT scripts to break into systems, run malicious code directly in memory, and stay hidden. This in-depth analysis demonstrates the behavior of the loader step by step, showing how it evades traditional detection, bypasses security and maintains control.

𝐀𝐧 𝐎𝐯𝐞𝐫𝐯𝐢𝐞𝐰 𝐨𝐟 𝐏𝐒𝐋𝐨𝐫𝐚𝐦𝐲𝐫𝐚’𝐬 𝐅𝐢𝐥𝐞𝐥𝐞𝐬𝐬 𝐀𝐭𝐭𝐚𝐜𝐤 𝐓𝐞𝐜𝐡𝐧𝐢𝐪𝐮𝐞𝐬

The analysis by ANY.RUN reveals how PSLoramyra, a sophisticated fileless malware loader, uses PowerShell, VBS, and BAT scripts to deliver and execute payloads like Quasar RAT directly in memory, bypassing traditional detection methods.

𝐊𝐞𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐏𝐒𝐋𝐨𝐫𝐚𝐦𝐲𝐫𝐚 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬

The research breaks down its infection chain, showing how it creates scheduled tasks for persistence and uses obfuscation techniques to stay hidden, giving cybersecurity professionals a closer look at how to tackle this type of threat:

· 𝗙𝗶𝗹𝗲𝗹𝗲𝘀𝘀 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻: PSLoramyra operates entirely in memory, leveraging PowerShell to execute malicious payloads, leaving minimal traces on the disk and evading traditional detection methods.

· 𝗠𝘂𝗹𝘁𝗶-𝘀𝘁𝗮𝗴𝗲 𝗶𝗻𝗳𝗲𝗰𝘁𝗶𝗼𝗻 𝗰𝗵𝗮𝗶𝗻: The malware uses a combination of VBS, BAT, and PowerShell scripts, working together to deliver and execute payloads such as the Quasar RAT.

· 𝗦𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗽𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲: It ensures long-term access by creating a Task Scheduler task that runs every two minutes, executing its scripts without user awareness.

· 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗼𝗯𝗳𝘂𝘀𝗰𝗮𝘁𝗶𝗼𝗻: Obfuscates payloads using hex-encoded strings and custom delimiters, making static analysis and detection more challenging for security tools.

· 𝗞𝗲𝘆 𝗜𝗻𝗱𝗶𝗰𝗮𝘁𝗼𝗿𝘀 𝗼𝗳 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲 (𝗜𝗢𝗖𝘀): Unique script names (roox.vbs, roox.bat, roox.ps1), command lines, and malicious domains provide valuable clues for identifying and mitigating the threat.

To dive deeper into the details of PSLoramyra’s techniques, visit ANY.RUN’s blog.

