Pulsar RAT: A Stealthy Threat Targeting Windows Systems
A new and sophisticated malware, known as Pulsar RAT, has been identified targeting Windows systems. This Remote Access Trojan (RAT) employs advanced techniques to establish persistence, evade detection, and exfiltrate sensitive user data.
Infection Mechanism
The attack initiates with an obfuscated batch file that discreetly copies itself into a concealed folder within the user’s AppData directory. Subsequently, it registers itself in the Windows registry under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`. This ensures the malware executes automatically upon each user login, all without necessitating administrative privileges.
Multi-Stage Payload Deployment
Once active, Pulsar RAT employs a multi-stage infection chain:
1. PowerShell Loaders: The malware extracts and executes embedded PowerShell scripts, minimizing disk artifacts that could alert security systems.
2. Shellcode Injection: It decrypts and injects Donut-generated shellcode directly into legitimate Windows processes like `explorer.exe`. This process utilizes delayed execution and a watchdog mechanism to maintain persistent control.
3. Obfuscated .NET Payload: The final payload is a heavily obfuscated .NET application that provides comprehensive stealer and remote access capabilities, targeting credentials, surveillance, and system control.
Data Exfiltration
Pulsar RAT is designed to harvest a wide array of sensitive information, including:
– Browser credentials
– Cryptocurrency wallets
– VPN configurations
– Gaming platform accounts
– Messaging application tokens
The collected data is compressed into ZIP archives and exfiltrated via Discord webhooks and Telegram bots. Messages are labeled stealer by @aesxor to assist attackers in tracking infected systems.
Persistence and Evasion Techniques
To ensure long-term access, Pulsar RAT employs dual-layer persistence mechanisms:
– Windows Scheduled Tasks: The malware creates a scheduled task configured to run at user logon with the highest available privileges.
– Registry Run Keys: Simultaneously, it writes the executable path under the current user’s Run key.
This redundancy ensures the malware’s execution even in environments where one persistence method might be blocked or monitored.
The malware also incorporates advanced anti-analysis techniques, including:
– Anti-Virtualization: Detects and avoids execution in virtual environments.
– Anti-Debugging: Monitors for debugging tools and terminates itself if such tools are detected.
– Process Injection Detection: Watches for attempts to analyze its behavior and responds by terminating processes or altering its execution flow.
When analysis tools like x64dbg, WinDbg, dnSpy, or IDA are detected through window enumeration or API checks, the malware immediately terminates itself to avoid examination. This self-protection extends to hardware breakpoint detection, PEB debugging flags, and handle manipulation techniques, forming a comprehensive anti-analysis framework designed to resist reverse engineering.
Recommendations for Mitigation
Organizations are advised to implement the following measures to detect and prevent Pulsar RAT infections:
– Behavioral Detection Systems: Deploy systems capable of identifying in-memory shellcode injection and unusual PowerShell execution patterns.
– Registry Monitoring: Regularly monitor registry Run key modifications to detect unauthorized entries.
– Network Monitoring: Monitor for connections to known command-and-control servers, such as `185.132.53.17:7800`, and block Discord/Telegram exfiltration channels to contain active infections.
By staying vigilant and implementing robust security measures, organizations can better protect their systems against sophisticated threats like Pulsar RAT.
