A sophisticated new Windows Remote Access Trojan (RAT) has been discovered, capable of evading detection for weeks by employing corrupted DOS and PE headers. This novel approach challenges traditional analysis methods, allowing the malware to persist on compromised systems and pose a significant threat to cybersecurity.

Stealthy New Windows RAT Bypasses Detection

Cybersecurity researchers have uncovered a new Windows Remote Access Trojan (RAT) that has been operating undetected for weeks on compromised machines. This malware leverages an unusual technique: intentionally corrupting its DOS (Disk Operating System) and PE (Portable Executable) headers. These headers are crucial components of Windows executable files, providing essential information for the operating system to load and run programs. By corrupting them, the malware makes analysis and reconstruction significantly more challenging.

Key Takeaways

• A new Windows RAT utilizes corrupted DOS and PE headers to evade detection.

• The malware can persist on compromised systems for weeks without being noticed.

• Analysis of the malware requires replicating the compromised system's environment.

• The RAT establishes contact with a Command and Control (C2) server via TLS.

• It possesses capabilities for screenshot capture, system service manipulation, and acting as a server for incoming connections.

How The Malware Operates

Fortinet researchers, who identified this threat, found the malware running within a process. Despite the corrupted headers, they successfully analyzed a memory dump of the running process. Once executed, the malware decrypts its Command and Control (C2) domain information from memory and establishes a secure connection using the TLS protocol to . The main thread then enters a sleep state, awaiting the completion of the communication thread.

Advanced Capabilities and Multi-Threaded Architecture

Further analysis revealed that the malware is a full-fledged Remote Access Trojan with a range of malicious capabilities. These include:

• Screenshot Capture: The ability to capture images of the compromised system's screen.

• System Service Manipulation: Enumerating and manipulating system services on the host.

• Server Functionality: Acting as a server to await incoming "client" connections.

The RAT implements a multi-threaded socket architecture, allowing it to spawn a new thread for each new attacker connection. This design facilitates concurrent sessions and supports more complex interactions, effectively transforming the compromised system into a remote-access platform for the attacker. This allows the threat actor to launch further attacks or perform various actions on behalf of the victim, highlighting the severe implications of this new threat.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers, The Hacker News.