Cybersecurity researchers have unveiled a sophisticated cyber attack deploying malware characterized by corrupted DOS and PE headers. These components are critical to the functioning of Windows PE files, which provide essential information about executable files.<\/p>\n
The DOS (Disk Operating System) header facilitates backward compatibility with MS-DOS, enabling the operating system to identify the file as a valid executable. In contrast, the PE (Portable Executable) header contains detailed metadata necessary for the Windows operating system to effectively load and execute programs.<\/p>\n
According to research conducted by the FortiGuard Incident Response Team, the malware was discovered operational on a compromised machine for several weeks. The attackers executed a series of scripts and PowerShell commands to facilitate the malware’s execution within a Windows process.<\/p>\n
Although Fortinet was unable to extract the malware itself, they successfully acquired both a memory dump of the active malware process and a complete memory dump of the infected machine. The distribution method of the malware and the extent of the campaign remain unknown.<\/p>\n
The malware operates under the dllhost.exe process and is characterized as a 64-bit PE file. To evade detection, it employs corrupted DOS and PE headers to complicate analysis and payload reconstruction from memory.<\/p>\n
Despite these challenges, Fortinet managed to analyze the dumped malware within a controlled environment by replicating the conditions of the compromised system through extensive trials and adjustments.<\/p>\n
Upon execution, the malware decrypts command-and-control (C2) domain information stored in memory, establishing communication with a C2 server (“rushpapers[.]com”), marking the initiation of a new threat vector.<\/p>\n
Upon establishing a connection, the main thread of the malware enters a dormant state until the communication thread completes its operations. It maintains communication with the C2 server via the TLS protocol.<\/p>\n
Further examination classified the malware as a Remote Access Trojan (RAT), equipped with functionalities such as screenshot capture, system service enumeration and manipulation, and the ability to act as a server awaiting incoming client connections.<\/p>\n
The malware employs a multi-threaded socket architecture, allowing it to spawn new threads for each incoming connection from an attacker. This design not only supports concurrent sessions but also enables complex interactive features.<\/p>\n
By leveraging this operational mode, the malware effectively transforms the compromised system into a platform for remote access, empowering the attacker to execute further assaults or perform various activities in the victim’s domain.<\/p>\n","protected":false},"excerpt":{"rendered":"
Cybersecurity researchers have unveiled a sophisticated cyber attack deploying malware characterized by corrupted DOS and PE headers. These components are…<\/p>\n","protected":false},"author":1,"featured_media":1617,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[610,677,54],"class_list":["post-1616","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-commands","tag-headers","tag-malware"],"acf":[],"yoast_head":"\n