Jump to content

New Attack Technique Hides Spread of RATs in Asia


Recommended Posts



New Attack Technique Hides Spread of RATs in Asia



SentinelOne last week announced that it has detected a technique being used in Asia to infect systems with remote access Trojans that ensures that the payload remains in memory throughout its execution and doesn't touch the victim's computer disk in an unencrypted state.


Attackers remain hidden from antivirus technologies and next-generation technologies that focus only on file-based threats, according to SentinelOne.

The samples analyzed also can detect the presence of a virtual machine, preventing them from being analyzed in a network sandbox.

Remote access Trojans, or RATs, aren't new but the technique is, said Joseph Landry, senior security researcher at SentinelOne.

"We expect to see an increase in fileless-based attacks that execute in memory to avoid detection," he told TechNewsWorld.


How It Works

The main binary is a packed .NET DLL bearing the name "Benchmark."

When run, it copies itself to %APPDATA%\Microsoft\Blend\14.0\FeedCache\nvSCPAPISrv.exe and extracts a second binary named "PerfWatson.exe." It then executes both binaries from memory.

A registry key is created at HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load for persistence. That points to the PerfWatson.exe binary.

The RAT then tries to connect back to its control server, chickenkiller.com, which was down when SentinelOne checked. It apparently is owned by a free dynamic DNS service.
More About the Malware

The main executable in the Benchmark .NET DLL contains an XOR-encrypted .NET DLL in its .NET managed resources, as well as the logic to unpack and inject the RAT and monitor the PerfWatson.exe.


The settings for Benchmark and the NanoCore remote administration tool contained in the malware are serialized, DES encrypted, spliced and stored across multiple PNG files as pixel data, SentinelOne found. The PNG files are concatenated and stored in the main executable's .NET managed resources.

Once the encrypted DLL is decrypted, it's linked into the process using System.Reflection.Assembly.Load(byte[]). That ensures that the DLL will be retained in memory and not written to the filesystem.

The set options are then executed, and the NanoCore payload is injected into a new child process.


Detecting the RAT

SentinelOne detected the RAT because the dynamic behavior tracking engine in its platform "continuously looks for malicious behaviors all the way down to the user-space/kernel-space interface," Landry said.

Since communications between the payload being executed in memory and the kernel must be unencrypted, SentinelOne can detect execution at both process points -- when the Benchmark DLL is injected and when the RAT payload is injected, he noted.

Landry could not specify where in Asia the technique is being used.

Memory-only malware "is not a new threat," asserted Allison Nixon, director of security research at Flashpoint.

Detecting malware at the entry point of a network before it executes on a target machine "is easier to deal with from a remediation standpoint," she told TechNewsWorld.


Been There, Seen That

SentinelOne discusses two techniques -- decrypting an embedded resource and using .NET Reflection to dynamically load it, and injecting a PE file…


Link to comment
Share on other sites

  • Views 434
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...