Researchers discovered a new trick for concealing the installation of Remote Access Trojans (RATs), after identifying malware samples that never touch the hard drive throughout execution, remaining in memory until the malware is fully enabled and cybercriminals can take control.
According to a blog post by SentinelOne, this new under-the-radar technique helps the attack avoid detection from not only traditional antivirus solutions that look for malicious code signatures, but even some next-generation solutions that monitor only file-based threat vectors.
Joseph Landry, senior security researcher at SentinelOne, told SCMagazine.com that the technique was first discovered in February, and while it was spotted initially in a handful of Asian countries it has most recently surfaced in the U.S. as well. This novel technique can be applied broadly to any known RAT, although the sample SentinelOne specifically found and analyzed was the malware known as NanoCore.
Once downloaded, the malware connects to a command and control server, located on the chickenkiller.com domain, which appears to have been taken down. Upon connection with the C&C server, the payload is not actually written to disk. Instead, it is injected into a new process created in memory instead. To further evade cybersecurity measures, Landry continued, the technique “encodes and encrypts the payload and stores it inside of image files, which would normally looks innocuous to antivirus solutions” because typically images don't contain executable code.
This particular malware strain also was programmed to detect and avoid sandbox environments that researchers may have set up to dissect the malicious code.
To combat this particular threat, Landry recommended a behavior-based anti-malware solution capable of identifying and analyzing unusual system behavior on a kernel level.