Security researchers have discovered a new wave of Windows Remote Access Trojan (RAT) [RAT] that’s using a simple but effective new technique to evade antivirus software by scrambling its signature.
This innovative method seriously hinders the common practice of malware analysis and detection and carries an serious potential of danger to many windows systems worldwide.
This RAT, which has been found by Fortinet, works by deliberately damaging the DOS (Disk Operating System) and PE (Portable Executable) headers within its own executable.
In order for the Windows operating system to identify and launch programs, these headers are necessary. Corrupting this basic information disables traditional security tools, which depend on headers to characterize and pattern-match Internet traffic through static analysis.
This potentially enables the RAT to remain on compromised systems for weeks without being noticed by the system’s defense mechanisms, the researchers say.
One must use other methods (such as memory forensics, and reproducing as closely as one can the exact circumstances of the affected machine) to investigate the behavior of the malware.
In the incident it was found that the RAT was being executed under a valid dllhost. exe, thus providing an additional layer of obfuscation to its malicious behavior.
Upon execution, the RAT decrypts its C2 server address in memory and creates a secure C&C communication channel based on the TLS protocol. The primary thread goes dormant, waiting for commands from C2 server via another communication thread.
Upon additional analysis the new RAT was found to have a wide range of malicious features, such as:
- Screenshot Capture: Capturing the user’s screen secretly.
- System Service Manipulation: Enumeration and controlling the system services on the compromised machine.
- Server Mode: If it’s acting as an attacker to listen for incoming connections from attacker, turning the compromised machine into a listening platform.
The RAT also uses multi-threaded socket architecture to accept multiple connections at the same time from attackers, so that more sophisticated and coordinated operations can be carried out.
This finding demonstrates the progressive maturity of cyber threats and the ongoing requirement for progressive detection and analysis methodologies.
Companiest are encouraged to adopt stronger security practices and tools that are capable of analyzing memory, watch for legitimate processes acting in abnormal ways, in addition, audit the API usage for detection of potentially suspicious operations.
Network traffic analysis can also identify aberrant outbound connections related to C2 communications as well. Addendum: User awareness is key in stopping initial infections that use social engineering techniques.
The cyber-security community is currently pay attention of the threat to find possible mitigations and detection signatures. More details on the structure of the RAT as well as specific indicators of compromise will likely be provided in the next days.
This once again highlights the ‘whack-a-mole’ game of brinkmanship that cybersecurity and online criminals have long taken part in, as we have seen emerging threats being countered at breakneck speed.
