Cybersecurity researchers have uncovered a sophisticated cyber attack involving a Remote Access Trojan (RAT) that remained undetected on a compromised Windows machine for several weeks. The malware employs corrupted DOS and Portable Executable (PE) headers to evade detection and analysis, posing significant challenges to cybersecurity defenses.
Understanding DOS and PE Headers
In Windows operating systems, executable files contain DOS and PE headers that provide essential information for the system to load and execute programs. The DOS header ensures backward compatibility with MS-DOS, while the PE header contains metadata necessary for Windows to manage the executable. By corrupting these headers, the malware disrupts standard analysis tools, making it difficult for security professionals to identify and dissect the malicious code.
Discovery and Analysis
Researchers from Fortinet’s FortiGuard Incident Response Team identified the malware running within a `dllhost.exe` process on a compromised system. Despite the corruption of the DOS and PE headers, the team managed to reconstruct the payload by replicating the compromised environment and conducting extensive memory analysis.
Malware Capabilities
Once executed, the RAT decrypts command-and-control (C2) domain information stored in memory and establishes communication with a remote server over the TLS protocol. The malware’s functionalities include:
– Screenshot Capture: Periodically capturing screenshots of the victim’s desktop to monitor activities.
– System Service Manipulation: Enumerating and controlling system services to maintain persistence and control.
– Multi-Threaded Socket Architecture: Allowing concurrent sessions by spawning new threads for each client connection, effectively turning the compromised system into a remote-access platform.
Implications and Recommendations
The use of corrupted headers to evade detection highlights the evolving sophistication of malware tactics. Organizations are advised to implement advanced threat detection mechanisms, conduct regular system audits, and educate employees on recognizing phishing attempts and other common attack vectors.
