Incident Response, Malware, Network Security, TDR

New technique hides RATs in memory, never touching disk during its execution

Researchers discovered a new trick for concealing the installation of Remote Access Trojans (RATs), after identifying malware samples that never touch the hard drive throughout execution, remaining in memory until the malware is fully enabled and cybercriminals can take control.

According to a blog post by SentinelOne, this new under-the-radar technique helps the attack avoid detection from not only traditional antivirus solutions that look for malicious code signatures, but even some next-generation solutions that monitor only file-based threat vectors.

Joseph Landry, senior security researcher at SentinelOne, told SCMagazine.com that the technique was first discovered in February, and while it was spotted initially in a handful of Asian countries it has most recently surfaced in the U.S. as well. This novel technique can be applied broadly to any known RAT, although the sample SentinelOne specifically found and analyzed was the malware known as NanoCore.

Once downloaded, the malware connects to a command and control server, located on the chickenkiller.com domain, which appears to have been taken down. Upon connection with the C&C server, the payload is not actually written to disk. Instead, it is injected into a new process created in memory instead. To further evade cybersecurity measures, Landry continued, the technique “encodes and encrypts the payload and stores it inside of image files, which would normally looks innocuous to antivirus solutions” because typically images don't contain executable code.

This particular malware strain also was programmed to detect and avoid sandbox environments that researchers may have set up to dissect the malicious code.

To combat this particular threat, Landry recommended a behavior-based anti-malware solution capable of identifying and analyzing unusual system behavior on a kernel level.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.