Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Malware Coders Find the Perfect Technique to Help RATs Avoid Detection
[Image: malware-coders-find-the-perfect-techniqu...3303-2.png]
Security firm SentinelOne discovered a new technique leveraged by malware coders that are hiding the most dangerous parts of RATs (Remote Access Trojans) inside the OS memory and are using PNG files as configuration files.

Researchers first observed the technique in a series of state-sponsored attacks against Asian countries. The malware along which it was used with is NanoCore (also known as Nancrat), an RAT first detected in the spring of 2014.

For this campaign, this threat was distributed as an EXE file that, when launched into execution, would extract a second EXE. Only the first EXE was stored on disk, containing no malicious behavior while the second EXE was injected into the system memory with the help of an encrypted DLL and a series of PNG files.

According to the SentinelOne team, because this second EXE never touched the storage space, classic antivirus solutions never picked up its malicious behavior. Only security products that scan the OS memory would be able to pick it up the second EXE.

If you're curious, the role of the PNG files would be to store configuration data for the RAT's normal mode of operation. All images are just a mess of random pixels, but when the second EXE reads their content, they assemble back into parts of the RAT payload and its configuration settings.
[Image: malware-coders-find-the-perfect-techniqu...3303-3.png]

Possibly Related Threads…
Thread Author Replies Views Last Post
  New malware DarkWatchman uses Windows Registry to evade detection mrtrout 0 276 12-25-2021 , 12:23 AM
Last Post: mrtrout
  Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique mrtrout 0 457 06-17-2021 , 08:34 PM
Last Post: mrtrout
  Aurora campaign: Attacking Azerbaijan using multiple RATs mrtrout 0 429 04-09-2021 , 12:20 AM
Last Post: mrtrout
  New ZHtrap botnet malware deploys honeypots to find more targets Bjyda 0 715 03-13-2021 , 12:25 AM
Last Post: Bjyda
  Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection Bjyda 0 684 03-13-2021 , 12:03 AM
Last Post: Bjyda

Forum Jump:

Users browsing this thread: 1 Guest(s)