Stealthy New Windows RAT Hides for Weeks with Corrupted DOS and PE Headers

Published:

spot_img

Understanding a New Cybersecurity Threat: The Windows RAT with Corrupted Headers

Cybersecurity experts have recently brought to light an innovative cyberattack that utilizes malware with corrupted DOS and PE headers. This discovery, made by researchers at Fortinet, showcases a sophisticated approach that complicates traditional detection methods.

What Are DOS and PE Headers?

The DOS (Disk Operating System) and PE (Portable Executable) headers are crucial components of executable files in Windows. The DOS header aids in making the executable file backward compatible with MS-DOS, while the PE header contains essential metadata that Windows requires to load and execute applications. Corruption of these headers can significantly hinder analysis efforts by security professionals.

Insights from Fortinet’s Findings

In their report, researchers from FortiGuard Incident Response Team, Xiaopeng Zhang and John Simmons, noted that their investigation revealed malware running silently on a compromised machine for several weeks. They reported that the attacker employed scripts and PowerShell to initiate the malware within a Windows process.

While Fortinet could not extract the malware itself, they did obtain a memory dump of the active process and a full memory dump of the affected machine. However, the specifics of how this malware is distributed and its prevalence remain largely unknown.

The Structure of the Malware

Operating under the process “dllhost.exe,” this malware is a 64-bit PE file but features corrupted DOS and PE headers. These corrupted headers serve to evade detection and complicate efforts to reconstruct the malware from memory.

Fortinet’s analysis demonstrated that, despite these barriers, they could successfully dissect the malware within a carefully recreated environment that mirrored the compromised system. This analysis required multiple trials and adjustments, highlighting the complexity of analyzing such advanced malware.

How the Malware Communicates

Upon execution, the malware decrypts command-and-control (C2) domain information embedded in memory and connects to a designated server, identified as "rushpapers[.]com." According to researchers, once the malware establishes this connection, it enters a sleep state until the communication thread completes its tasks, utilizing TLS protocol for secure communication.

Capabilities of the Remote Access Trojan (RAT)

Further investigation revealed that this malware functions as a remote access trojan (RAT), equipped with various capabilities that pose significant risks. It can capture screenshots, enumerate system services, and even act as a server to manage incoming connections from attackers.

The malware employs a multi-threaded socket architecture, enabling it to handle multiple client connections simultaneously. This design not only allows for concurrent sessions but also supports more intricate interactions between the attacker and the compromised system.

Implications for Cybersecurity

The operation of this malware effectively transforms the infected machine into a platform for remote access, granting the attacker the ability to carry out additional attacks or perform a variety of actions on behalf of the victim. This evolving landscape of malware emphasizes the ongoing need for robust cybersecurity measures and the importance of staying informed about emerging threats.

Cybersecurity professionals must continually adapt their strategies to counter these sophisticated techniques, as the malware landscape grows increasingly complex and varied.

spot_img

Related articles

Recent articles

NSU Launches Cybersecurity Center to Enhance Research and Workforce Development in Bangladesh

North South University (NSU) has inaugurated its Cybersecurity Center to advance research, develop skilled professionals, and strengthen Bangladesh's resilience against emerging cyber threats. This...

Siemens ROX II Switches Vulnerable: Update to Firmware V2.17.1 to Mitigate CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949 Exploits

Siemens has issued an advisory regarding three critical zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) affecting its ROX II operational technology (OT) switches. These vulnerabilities...

UK Regulator Launches Investigation into TikTok Age Verification Amid Strengthened Child Safety Measures

UK Regulator Launches Investigation into TikTok Age Verification Amid Strengthened Child Safety Measures The UK's communications regulator, Ofcom, has initiated a formal investigation into TikTok's...

Legacy Systems, Real-World Risks: Navigating the Challenges of OT Security

Legacy Systems, Real-World Risks: Navigating the Challenges of OT Security Operational Technology (OT) security presents unique challenges that differ significantly from traditional Information Technology (IT)...