14 DAY TRIAL // Security firm SentinelOne discovered a new technique leveraged by malware coders that are hiding the most dangerous parts of RATs (Remote Access Trojans) inside the OS memory and are using PNG files as configuration files.
Researchers first observed the technique in a series of state-sponsored attacks against Asian countries. The malware along which it was used with is NanoCore (also known as Nancrat), an RAT first detected in the spring of 2014.
For this campaign, this threat was distributed as an EXE file that, when launched into execution, would extract a second EXE. Only the first EXE was stored on disk, containing no malicious behavior while the second EXE was injected into the system memory with the help of an encrypted DLL and a series of PNG files.
According to the SentinelOne team, because this second EXE never touched the storage space, classic antivirus solutions never picked up its malicious behavior. Only security products that scan the OS memory would be able to pick it up the second EXE.
If you're curious, the role of the PNG files would be to store configuration data for the RAT's normal mode of operation. All images are just a mess of random pixels, but when the second EXE reads their content, they assemble back into parts of the RAT payload and its configuration settings.
UPDATE: Malware analysts from @MalwareHunterTeam told Softpedia that the technique is not actually new, and was seen in the past by other researchers. See the tweet below.
@SentinelSec Also, that dll is at least 90% similar to the dll used by a version of a crypter which @hasherezade wrote about past year. — MalwareHunterTeam (@malwrhunterteam) April 23, 2016
