Attackers Are Using A New Way To Bypass The Detection RAT

Cyber criminals are using a new way to bypass the detection RAT (Remote Access Trojan) in order to gain access to the stored files and resources of the victims computer. RAT infects the system when a user opens a malicious e-mail attachment or download any file from a web-site or peer to peer network.

Attackers Are Using A New Way To Bypass The Detection RAT

The criminals use Remote Access Trojan (RAT) for many years in order to gain access to the stored files and resources such as a camera, microphone, etc on the victim’s computer. Traditionally RAT infects the system when a user opens a malicious e-mail attachment or download any file from a web-site or peer to peer network. Both vectors attacks involve the use of files to download malware, so such attacks more easily detected.

According to the researchers of the cyber security company SentinelOne, cybercriminals started using a new technique to spread Trojans remote access to bypass security solutions. The method used by the attackers allows them to download a payload into memory and bypass the anti-virus software and modern technology that can detect only threats, based on the files.

The new method consists in that during the execution of the malicious payload (file) is in the memory and does not interact with the disk in an unencrypted form. The researchers stressed that the new are not the Trojans to remotely access and detection of intruders used workaround. As the cyber security company, SentinelOne analyzed the method of infection by the example of Trojan NanoCore, but it is also suitable for other well-known RAT.

After running on a system, the malware copies itself to the victim in the “% APPDATA% \ Microsoft \ Blend \ 14.0 \ FeedCache \ nvSCPAPISrv.exe”, extracts the second “PerfWatson.exe” code and performs both codes. Encrypted dynamic link library (DDL), is responsible for unpacking and implementation of RAT, decrypted and copied to the memory. Settings for DDL and of the executable code NanoCore encrypted stored in several PNG-files in the form of pixel data. After decoding of all components of the payload of a Trojan is embedded in a new process using the “Win32 API”.

The method described by the researchers evade detection and has been successfully used by cybercriminals during the sponsored attacks by the governments on the institutions in Asia.