Introduction
A sophisticated Remote Access Trojan (RAT) was investigated by Fortinet’s FortiGuard Incident Response Team [2]. This malware, which operated undetected for several weeks [4], employed advanced evasion techniques and established secure connections with a command-and-control server. The investigation highlights the need for enhanced cybersecurity measures [4].
Description
A sophisticated Remote Access Trojan (RAT) has been investigated by Fortinet’s FortiGuard Incident Response Team [2]. This malware operated undetected for several weeks on a compromised Windows machine, executing scripts and PowerShell commands while masquerading as the legitimate dllhost.exe process (PID 8200) [4]. It employed advanced evasion techniques [1] [2], including the deliberate corruption of its PE (Portable Executable) and DOS headers, complicating forensic analysis and hindering its execution as a standard Windows binary. To analyze the malware’s operations and communication patterns [3] [5], researchers obtained a complete 33 GB memory dump of the compromised system and manually recreated the infected environment for reverse engineering to identify the malware’s entry point and resolve API addresses.
Once operational [5], the RAT established a secure connection with a command-and-control (C2) server at rushpapers.com over port 443, using TLS encryption alongside a custom XOR-based algorithm for obfuscation. Its multi-threaded design allows multiple attacker sessions to operate simultaneously on the compromised system [4]. Analysts traced its use of Windows API functions [5], such as SealMessage() and DecryptMessage() [5], for handling encrypted traffic [5], which was further complicated by a custom encryption layer. The malware’s capabilities included periodic screenshot capture [1], manipulation of Windows services, and control over system processes [1], confirmed through dynamic analysis [1].
The initial infection vector involved batch scripts and PowerShell [3] [5], which embedded the malware into a Windows process [3] [5]. After execution [4] [5], the RAT decrypted its C2 data from memory, revealing the server’s domain and began exfiltrating system details. Traffic analysis uncovered decrypted WebSocket requests and responses [5], demonstrating how the malware collected and reported system information [3] [5], including the operating system version and architecture. The encryption scheme utilized a randomly generated key for XOR-based scrambling of packet data before TLS encryption [3] [5], enhancing its evasion of network detection and necessitating endpoint inspection or memory-level analysis for detection [5].
The sophistication of this RAT suggests potential state-backed development or the emergence of professionalized underground malware-as-a-service models [1], indicating that similar threats are likely already in circulation [1]. This incident underscores the need for a shift in cybersecurity strategies [1], advocating for proactive threat hunting [1], memory scanning [1], and behavioral analytics as essential components of defense architectures [1]. Security teams should monitor legitimate processes for irregular memory allocation and abnormal API usage [1], with enhanced alerting on memory-only execution and encrypted outbound connections to suspicious domains like rushpapers.com [1]. Additionally, recommendations include blocking outbound traffic to unknown domains and maintaining PowerShell logging to detect unusual script activity [4], emphasizing the importance of monitoring memory execution rather than solely relying on traditional file format checks [4].
Conclusion
The investigation into this sophisticated RAT underscores the critical need for evolving cybersecurity strategies. Organizations must adopt proactive threat hunting, memory scanning [1], and behavioral analytics to defend against such advanced threats. Monitoring legitimate processes for irregular activities and enhancing alert systems are essential. Blocking outbound traffic to unknown domains and maintaining comprehensive PowerShell logging are recommended to detect and mitigate unusual script activity. The emergence of such threats suggests potential state-backed development or professionalized underground malware services [1], indicating that similar threats may already be in circulation [1].
References
[1] https://undercodenews.com/new-breed-of-cyber-stealth-advanced-rat-evades-detection-with-corrupted-headers-and-in-memory-execution/
[2] https://www.infosecurity-magazine.com/news/rat-corrupted-headers/
[3] https://ciso2ciso.com/new-malware-spooted-corrupts-its-own-headers-to-block-analysis-sourcehackread-com/
[4] https://rhyno.io/blogs/cybersecurity-news/fortinet-spots-windows-trojan-that-hides-on-file-headers/
[5] https://hackread.com/new-malware-corrupts-its-headers-block-analysis/