New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers

Avatar
Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file, providing information about the executable. While the DOS header makes the executable file backward compatible

Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet.

The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file, providing information about the executable.

While the DOS header makes the executable file backward compatible with MS-DOS and allows it to be recognized as a valid executable by the operating system, the PE header contains the metadata and information necessary for Windows to load and execute the program.

“We discovered malware that had been running on a compromised machine for several weeks,” researchers Xiaopeng Zhang and John Simmons from the FortiGuard Incident Response Team said in a report shared with The Hacker News. “The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process.”

Fortinet said while it was unable to extract the malware itself, it acquired a memory dump of the running malware process and a full memory dump of the compromised machine. It’s currently not known how the malware is distributed or how widespread the attacks distributing it are.

The malware, running within a dllhost.exe process, is a 64-bit PE file with corrupted DOS and PE headers in a bid to challenge analysis efforts and reconstruct the payload from memory.

Despite these roadblocks, the cybersecurity company further noted that it was able to take apart the dumped malware within a controlled local setting by replicating the compromised system’s environment after “multiple trials, errors, and repeated fixes.”

The malware, once executed, decrypts command-and-control (C2) domain information stored in memory and then establishes contact with the server (“rushpapers[.]com”) in a newly created threat.

“After launching the thread, the main thread enters a sleep state until the communication thread completes its execution,” the researchers said. “The malware communicates with the C2 server over the TLS protocol.”

Further analysis has determined the malware to be a remote access trojan (RAT) with capabilities to capture screenshots; enumerate and manipulate the system services on the compromised host; and even act as a server to await incoming “client” connections.

“It implements a multi-threaded socket architecture: each time a new client (attacker) connects, the malware spawns a new thread to handle the communication,” Fortinet said. “This design enables concurrent sessions and supports more complex interactions.”

“By operating in this mode, the malware effectively turns the compromised system into a remote-access platform, allowing the attacker to launch further attacks or perform various actions on behalf of the victim.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints

Next Post

Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools

Related Posts

Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.  The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs. "The new vulnerabilities can be
Avatar
Read More

Are Forgotten AD Service Accounts Leaving You at Risk?

For many organizations, Active Directory (AD) service accounts are quiet afterthoughts, persisting in the background long after their original purpose has been forgotten. To make matters worse, these orphaned service accounts (created for legacy applications, scheduled tasks, automation scripts, or test environments) are often left active with non-expiring or stale passwords. It’s no surprise
Avatar
Read More