Malware Coders Find the Perfect Technique to Help RATs Avoid Detection

[Batu69]

Crooks use fileless malware combined with steganography

 NanoCore's settings stored as PNG files

 

Security firm SentinelOne discovered a new technique leveraged by malware coders that are hiding the most dangerous parts of RATs (Remote Access Trojans) inside the OS memory and are using PNG files as configuration files.

Researchers first observed the technique in a series of state-sponsored attacks against Asian countries. The malware along which it was used with is NanoCore (also known as Nancrat), an RAT first detected in the spring of 2014.

For this campaign, this threat was distributed as an EXE file that, when launched into execution, would extract a second EXE. Only the first EXE was stored on disk, containing no malicious behavior while the second EXE was injected into the system memory with the help of an encrypted DLL and a series of PNG files.

According to the SentinelOne team, because this second EXE never touched the storage space, classic antivirus solutions never picked up its malicious behavior. Only security products that scan the OS memory would be able to pick it up the second EXE.

If you're curious, the role of the PNG files would be to store configuration data for the RAT's normal mode of operation. All images are just a mess of random pixels, but when the second EXE reads their content, they assemble back into parts of the RAT payload and its configuration settings.

Article source

[straycat19]

Another malware piece that can be stopped dead in its tracks by not allowing anything to run from the AppData folder.  As long as I can remember, all the major AV programs have been scanning memory areas as a major part of their scanning process by default.  

[steven36]

1 hour ago, straycat19 said:

Another malware piece that can be stopped dead in its tracks by not allowing anything to run from the AppData folder.  As long as I can remember, all the major AV programs have been scanning memory areas as a major part of their scanning process by default.  

Only would work right  in a business

Quote

Those recommendations would work perfectly in a environment

were NO users are allowed to install software, and NONE of the approved software executes from the mentioned locations. The workstations have the approved software pre-installed in the workstation image and updated by script.

To a normal home user who runs as a admin  this would  break most peoples pcs were stuff wouldn't run or install.  Its a issue that Microsoft is trying to resolve  by making windows store apps that run sand boxed instead . It not a issue a IT can solve  for a home user.

[CODYQX4]

On 4/22/2016 at 5:06 PM, steven36 said:

Only would work right  in a business

To a normal home user who runs as a admin  this would  break most peoples pcs were stuff wouldn't run or install.  Its a issue that Microsoft is trying to resolve  by making windows store apps that run sand boxed instead . It not a issue a IT can solve  for a home user.

A good way to keep your parents from installing the free smilies is to use NTFS permissions to ban execute/traverse file on Downloads and TEMP.

 

Yes, that's going to break a metric shit-ton of installers, but if all they do is browse the web it's more secure than any AV. Prevention is always better than cure.

[steven36]

15 hours ago, CODYQX4 said:

A good way to keep your parents from installing the free smilies is to use NTFS permissions to ban execute/traverse file on Downloads and TEMP.

 

Yes, that's going to break a metric shit-ton of installers, but if all they do is browse the web it's more secure than any AV. Prevention is always better than cure.

If all they do is browse the web  maybe they should think about installing something besides  Windows  were dont have as many malwares . Nothing  is malware  free but still the fact is most of  it is wrote for windows . Malware is so conman on windows people think oh well  another piece of windows malware and shrug it off . If Mac OSX  or Linux has a break out witch dont happen very often then the  Main stream media that use windows try to have a field day out of it even though  its very low risk  it would ever happen too you . I  never  used AV prevention on Linux or do most who use it.and  never had any problems.  

 

Going back to windows even many portable apps needs access to app data when executed and they delete the folders and data when you're done . Only I need windows to run certain apps i cant get on Linux  if all i did was surf  i would have no need for it. 

 

If my parents  install  something  after I told them not too be installing stuff  and let me do it and warned them time and time again they will catch malware from downloading crap and clicking emails from places they dont know if they  mess up there pcs.  they will have too buy me the stuff to fix it or buy a new PC.  it dont matter too me .

 

Besides most every scanner i ever used on windows  scans the computers memory ..I wonder what kind of crappy anti malware they was using  that dont  ?

On 4/22/2016 at 10:55 AM, Batu69 said:

classic antivirus solutions never picked up its malicious behavior. Only security products that scan the OS memory would be able to pick it up the second EXE.

Every time i reboot my antivirus  scans  OS memory with a startup scan even most on demand scanners do this if you run a scan .  So its far from being perfect being prefect would mean that it cant be detected  at all,  maybe this would been almost prefect back in the 1st decade of the century  but not with scanners of today. Maybe this is a problem  if you was running built in windows defender or no scanner at all ?

 

Startup Scan NOD32

 

If you only use WD  get  Malwarebytes and do scans from time to time. Memory scanning has been around a long while .

Memory scan

https://blog.malwarebytes.org/cybercrime/2014/03/memory-scan/