The criminals have used Remote Access Trojan (RAT) for many years to access the stored files and resources, such as a camera, microphone, etc., on the victim’s computer.
Traditionally RAT infects the system when a user opens a malicious e-mail attachment or downloads any file from a website or peer-to-peer network. Both vector attacks involve using files to download malware, so such attacks are more easily detected.
Attackers Are Using A New Way To Bypass The Detection RAT
According to the researchers of the cyber security company SentinelOne, cybercriminals started using a new technique to spread Trojan’s remote access to bypass security solutions.
The attacker’s method allows them to download a payload into memory and bypass the anti-virus software and modern technology that can detect only threats based on the files.
The new method consists that during the execution of the malicious payload (file) in the memory and does not interact with the disk in an unencrypted form.
The researchers stressed that the news is not the Trojans to remote access and detection of intruders used a workaround. As the cyber security company, SentinelOne analyzed the infection method by Trojan NanoCore, but it is also suitable for other well-known RAT.
After running on a system, the malware copies itself to the victim in the “% APPDATA% \ Microsoft \ Blend \ 14.0 \ FeedCache \ nvSCPAPISrv.exe”, extracts the second “PerfWatson.exe” code, and performs both codes.
Encrypted dynamic link library (DDL), is responsible for unpacking and implementing RAT, decrypting, and copied to the memory. Settings for DDL and of the executable code NanoCore are stored in several PNG files in pixel data.
After decoding, all components of the payload of a Trojan are embedded in a new process using the “Win32 API”.
The method described by the researchers evades detection and has been successfully used by cybercriminals during the sponsored attacks by the governments on institutions in Asia.