A sophisticated cyber threat has emerged, employing the PureRAT remote access trojan (RAT) to infiltrate Windows systems with a novel method. This malware campaign stands out due to its use of PNG image files to discreetly embed malicious code.
Fileless Execution and Steganography
This campaign’s distinguishing feature is its fileless execution, where the malware operates entirely in memory, avoiding detection by traditional security measures. Steganography is employed to conceal malicious payloads within seemingly innocuous PNG images, making the threat challenging to identify.
The attack initiates with a malicious .lnk file, a trusted Windows shortcut format. When opened, it executes a hidden PowerShell command that retrieves a PNG file from a remote server. This image contains a Base64-encoded executable, cleverly masked to appear harmless.
Multi-Stage Infection Process
Researchers from Trellix have analyzed this campaign, highlighting its complex infection chain and layered obfuscation. The initial PowerShell command is heavily obfuscated to mislead security analysts and automated systems. The malware checks for virtual environments like VMware to avoid detection during sandbox analysis.
Once active, PureRAT gathers system information, bypasses user account control (UAC) using cmstp.exe, and uses process hollowing to execute malicious code under the guise of a legitimate Windows process, msbuild.exe. This allows it to maintain a low profile while connecting to a command-and-control server for further instructions.
Preventative Measures and Recommendations
Organizations are advised to strengthen their endpoint security by implementing strict execution policies for PowerShell and VBS scripts. Monitoring the use of Windows binaries such as cmstp.exe and msbuild.exe is crucial, as these are exploited in the attack chain.
Blocking known command-and-control domains and IP addresses, as well as regularly updating security patches, can help mitigate the risk of such attacks. User training is also essential to prevent the opening of suspicious .lnk files or email attachments, even those appearing to be from trusted sources.
As cyber threats like PureRAT evolve, it is crucial for organizations to remain vigilant and proactive in their cybersecurity measures to protect sensitive information and maintain system integrity.
