Emerging Windows RAT Successfully Bypasses Detection Mechanisms for Extended Periods Through Manipulated DOS and PE Headers

Cybersecurity researchers have unveiled a sophisticated cyber attack deploying malware characterized by corrupted DOS and PE headers. These components are critical to the functioning of Windows PE files, which provide essential information about executable files.

The DOS (Disk Operating System) header facilitates backward compatibility with MS-DOS, enabling the operating system to identify the file as a valid executable. In contrast, the PE (Portable Executable) header contains detailed metadata necessary for the Windows operating system to effectively load and execute programs.

According to research conducted by the FortiGuard Incident Response Team, the malware was discovered operational on a compromised machine for several weeks. The attackers executed a series of scripts and PowerShell commands to facilitate the malware’s execution within a Windows process.

Although Fortinet was unable to extract the malware itself, they successfully acquired both a memory dump of the active malware process and a complete memory dump of the infected machine. The distribution method of the malware and the extent of the campaign remain unknown.

The malware operates under the dllhost.exe process and is characterized as a 64-bit PE file. To evade detection, it employs corrupted DOS and PE headers to complicate analysis and payload reconstruction from memory.

Despite these challenges, Fortinet managed to analyze the dumped malware within a controlled environment by replicating the conditions of the compromised system through extensive trials and adjustments.

Upon execution, the malware decrypts command-and-control (C2) domain information stored in memory, establishing communication with a C2 server (“rushpapers[.]com”), marking the initiation of a new threat vector.

Upon establishing a connection, the main thread of the malware enters a dormant state until the communication thread completes its operations. It maintains communication with the C2 server via the TLS protocol.

Further examination classified the malware as a Remote Access Trojan (RAT), equipped with functionalities such as screenshot capture, system service enumeration and manipulation, and the ability to act as a server awaiting incoming client connections.

The malware employs a multi-threaded socket architecture, allowing it to spawn new threads for each incoming connection from an attacker. This design not only supports concurrent sessions but also enables complex interactive features.

By leveraging this operational mode, the malware effectively transforms the compromised system into a platform for remote access, empowering the attacker to execute further assaults or perform various activities in the victim’s domain.