According to new Fortinet research, cybersecurity researchers are removing unusual cyberattacks that have been revered with DOS and PE headers that have corrupted malware.
The DOS (Disk Operating System) and PE (Portable Executable) headers are important parts of Windows PE files and provide information about the executable.
The DOS header makes the executable file backwards compatible with MS-DOS and allows the operating system to recognize it as a valid executable, but the PE header contains the metadata and information needed for Windows to load and run the program.
“For weeks, we discovered malware running on compromised machines,” Xiaopeng Zhang and John Simmons said in a report shared with Hacker News of the Fortiguard Incide Response team. “Threat actors were running scripts and PowerShell batches to run malware in window processes.”
Fortinet said that it cannot extract the malware itself, but it has obtained a memory dump of running malware processes and a full memory dump of a compromised machine. It is not clear how malware is distributed, or how widespread the attacks it distributes.
Malware running within the dllhost.exe process is a 64-bit PE file with corrupted DOS and PE headers to challenge analysis efforts and reconstruct payloads from memory.
Despite these failures, cybersecurity companies have further noted that they can dismantle dumped malware within a controlled local configuration by replicating the environment of a compromised system after “multiple attempts, errors, and repeated fixes.”
When malware runs, it decrypts the command and control (C2) domain information stored in memory and establishes contact with the server (“Rash Paper”[.]com “) Newly created threat.
“After launching the thread, the main thread enters sleep state until the communication thread completes execution,” the researcher said. “Malware communicates with the C2 server via the TLS protocol.”
Further analysis determined that the malware was a remote access trojan (rat) with the ability to capture screenshots. Enumerate and operate system services for compromised hosts. It can even act as a server waiting for an incoming “client” connection.
“We’re implementing a multi-threaded socket architecture. Every time a new client (attacker) connects, the malware generates a new thread to handle the communication,” says Fortinet. “This design allows for concurrent sessions and supports more complex interactions.”
“By operating in this mode, malware effectively transforms the compromised system into a remote access platform, allowing an attacker to launch further attacks or perform various actions on behalf of the victim.”
Source link
