A sophisticated new strain of malware has been operating undetected on Windows systems for several weeks, utilizing advanced evasion techniques that deliberately corrupt its Portable Executable (PE) headers. This innovative approach prevents traditional analysis methods from identifying the threat, marking a significant evolution in cyber threats targeting Microsoft Windows environments.
During a recent incident investigation, security researchers uncovered this malicious software embedded within the memory of a compromised system. It had successfully evaded detection while maintaining persistent access for an extended period. The malware was identified after the researchers obtained a comprehensive 33GB memory dump from an infected machine, which revealed its presence within a dllhost.exe process running under process ID 8200.
The attack appears to have been executed through a series of batch scripts and PowerShell commands, showcasing the attackers’ sophisticated understanding of Windows system architecture. Analysts at Fortinet have classified this malware as a Remote Access Trojan (RAT), equipped with extensive capabilities for system compromise and data exfiltration.
Researchers faced challenges in obtaining the original malware executable due to its advanced evasion mechanisms, which necessitated complex memory forensics techniques to fully comprehend its functionality. The malware’s deployment strategy involves corrupting critical file structure components essential for security analysis tools, highlighting a concerning trend in malware development where threat actors increasingly adopt sophisticated anti-analysis techniques to prolong their operational lifespan on compromised systems.
This particular strain exhibits capabilities such as screenshot capture and transmission, remote server functionality for command and control operations, and comprehensive system service manipulation through Windows Service Control Manager APIs. Its ability to operate undetected while maintaining full system access poses a significant security concern for enterprise environments.
The command and control infrastructure of this malware utilizes encrypted communications, employing Windows security APIs such as SealMessage() and DecryptMessage() to secure data transmission between the compromised system and remote servers. This encryption layer further complicates network-based detection for traditional security monitoring systems.
Advanced Header Corruption Evasion Technique
The malware’s most distinctive characteristic is its deliberate corruption of DOS and PE headers, a technique specifically designed to hinder reverse engineering efforts. When Windows loads a PE file into memory, it reads and parses these headers to deploy the executable correctly. Once the file is running, these headers become unnecessary, creating an opportunity for malicious actors to exploit this architectural characteristic.
Both the DOS and PE headers have been systematically overwritten with null bytes, resulting in regions of zeros where critical file structure information would typically reside. This corruption complicates the reconstruction of the complete executable from memory dumps, as traditional tools rely on these headers to understand the file’s organization and entry points.
Researchers had to manually locate the malware’s entry point function, usually identified by the instruction sub rsp, 28h in 64-bit executables. Through meticulous analysis using IDA Pro, they discovered eight instances of this instruction pattern and ultimately determined that the function at address 0x1C3EEFEE0A8 served as the actual entry point. This manual reconstruction process underscores the significant analytical overhead imposed by this evasion technique.
Moreover, the malware required complex import table resolution to function correctly in the researchers’ controlled environment. The threat dynamically calculates API addresses using XOR operations and indirect jumps, as illustrated in the code sequence at address 0x1C3EEEE1CE0, which ultimately resolves to legitimate Windows API functions like those exported from GDI32.dll at address 0x7FFD74224630.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
