Rust Shellcode Loader Uses GoTo Meeting To Load Remcos RAT
An unidentified threat actor used a new cyber kill chain to distribute the Remcos RAT using a Rust shellcode loader exploiting the GoToMeeting web conferencing software. Suspected to have started with phishing enticing victims with various themes the chain begins with myrecentfiles.lnk which opens a decoy PDF file (MLD.pdf) and triggers the execution of winsys.odt loading g2m.dll. This DLL loads the data.bin shellcode to deploy Remcos RAT. The group establishes persistence through the startup folder and employs DLL side-loading for evasion. Another malicious kill chain was discovered also using GoToMeeting leveraging PowerShell and creating persistence through RunBatchFile.lnk in the startup folder.