Asian Nation-State hackers use fileless RAT for their hacking campaign

Pierluigi Paganini April 22, 2016

State-sponsored actors in Asia have been leveraging fileless RAT for their hacking campaigns in order to avoid the detection.

Security experts from SentinelOne spotted nation-state actors in Asia running espionage campaigns relying on fileless Remote Access Trojan. The state-sponsored hackers were injecting the RAT payload directly into the memory of the target host in order to avoid detection by security solutions.

“Recently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs.  This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.” read the blog post published by SentinelOne.

“In doing so, the attacker can remain out of view from antivirus technologies, and even ‘next-generation’ technologies that only focus on file-based threat vectors.”

According to the experts at SentinelOne, the technique is widely adopted by several state-sponsored hackers from multiple Asian countries.

The researchers are warning about the possibility that other threat actors across the world can exploit the same technique in their hacking campaigns.

SentinelOne has published a detailed analysis of the attacks leveraging on the fileless RAT dubbed NanoCore (aka Nancrat).

“When run, the binary will copy itself to

%APPDATA%\Microsoft\Blend\14.0\FeedCache\nvSCPAPISrv.exe 

and extracts a second binary named PerfWatson.exe”

In order to maintain the persistence, the RAT use a registry key pointing to one of the above binaries.

“The RAT unpacking and injecting activities are implemented by using an encrypted DLL. The DLL settings and the NanoCore executable are encrypted and stored across multiple PNG image files as pixel data.” continues the analysis.

“The settings for “Benchmark” and the NanoCore executable are serialized, DES encrypted, spliced, and stored across multiple PNG files as pixel data. The PNG files are concatenated and stored in the .NET managed resources of the main executable.”

fileless RAT

 

Once all the components are decrypted, the payload is injected into a process in memory by using various Win32 API and system calls.

Experts believe that attacks relying on fileless malware will become even more popular among threat actors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – nation-state hackers, Fileless RAT)



you might also like

leave a comment