Understanding a New Cybersecurity Threat: The Windows RAT with Corrupted Headers
Cybersecurity experts have recently brought to light an innovative cyberattack that utilizes malware with corrupted DOS and PE headers. This discovery, made by researchers at Fortinet, showcases a sophisticated approach that complicates traditional detection methods.
What Are DOS and PE Headers?
The DOS (Disk Operating System) and PE (Portable Executable) headers are crucial components of executable files in Windows. The DOS header aids in making the executable file backward compatible with MS-DOS, while the PE header contains essential metadata that Windows requires to load and execute applications. Corruption of these headers can significantly hinder analysis efforts by security professionals.
Insights from Fortinet’s Findings
In their report, researchers from FortiGuard Incident Response Team, Xiaopeng Zhang and John Simmons, noted that their investigation revealed malware running silently on a compromised machine for several weeks. They reported that the attacker employed scripts and PowerShell to initiate the malware within a Windows process.
While Fortinet could not extract the malware itself, they did obtain a memory dump of the active process and a full memory dump of the affected machine. However, the specifics of how this malware is distributed and its prevalence remain largely unknown.
The Structure of the Malware
Operating under the process “dllhost.exe,” this malware is a 64-bit PE file but features corrupted DOS and PE headers. These corrupted headers serve to evade detection and complicate efforts to reconstruct the malware from memory.
Fortinet’s analysis demonstrated that, despite these barriers, they could successfully dissect the malware within a carefully recreated environment that mirrored the compromised system. This analysis required multiple trials and adjustments, highlighting the complexity of analyzing such advanced malware.
How the Malware Communicates
Upon execution, the malware decrypts command-and-control (C2) domain information embedded in memory and connects to a designated server, identified as "rushpapers[.]com." According to researchers, once the malware establishes this connection, it enters a sleep state until the communication thread completes its tasks, utilizing TLS protocol for secure communication.
Capabilities of the Remote Access Trojan (RAT)
Further investigation revealed that this malware functions as a remote access trojan (RAT), equipped with various capabilities that pose significant risks. It can capture screenshots, enumerate system services, and even act as a server to manage incoming connections from attackers.
The malware employs a multi-threaded socket architecture, enabling it to handle multiple client connections simultaneously. This design not only allows for concurrent sessions but also supports more intricate interactions between the attacker and the compromised system.
Implications for Cybersecurity
The operation of this malware effectively transforms the infected machine into a platform for remote access, granting the attacker the ability to carry out additional attacks or perform a variety of actions on behalf of the victim. This evolving landscape of malware emphasizes the ongoing need for robust cybersecurity measures and the importance of staying informed about emerging threats.
Cybersecurity professionals must continually adapt their strategies to counter these sophisticated techniques, as the malware landscape grows increasingly complex and varied.
