[su_heading size = ”18 ″] The perfect technique to avoid detecting RATs: Cybercriminals use fileless malware in conjunction with seal [/ su_heading]
Security company SentinelOne has discovered a new technique used by malicious software developers to hide the most dangerous parts of Remote Access Trojans (RATs) inside the operating system memory and the use of PNG files as configuration files.
The researchers first noticed this practice in a series of government-sponsored attacks against Asian countries. The malware used to carry out the attacks was NanoCore (also known as Nancrat), a RAT first detected in the spring of 2014.
In this particular campaign, the threat was distributed as an EXE file, which when executed in turn exported a second executable. The first executable, which did not show any malicious behavior, was stored on disk, while the second executable was inserted directly into the system memory, using an encrypted DLL and a string of PNG files.
According to SentinelOne researchers, and since the second ERA never "touches" storage, classic antivirus solutions can detect malicious behavior, and only security products that scan the operating system's memory are able to locate it.
And if you are wondering what the role of PNG files is, it is to save the settings required for the operation of RATs. All the images used are just a mess of random pixels, but when the second executable reads their content, these pixels form parts of the RAT payload as well as its configuration settings.