This article describes the detailed forensic analysis and local deployment of a sophisticated RAT malware with corrupted PE headers, focusing on how it was extracted from memory and dynamically analyzed. The malware communicates securely with its C2 server, captures screenshots, acts as a remote server, and manipulates system services. #RAT #dllhost.exe #rushpapers.com
Keypoints
- The malware was running within a dllhost.exe process with corrupted DOS and PE headers, complicating static extraction attempts.
- Dynamic analysis involved manually locating the malware’s entry point, memory allocation, and API address relocation using a debugger and Volatility tool.
- The malware communicates with its C2 server at rushpapers.com over TLS, encrypting data using both TLS and a custom XOR-based algorithm.
- Core functionalities include screen capture with context, acting as a TCP server to allow remote connections, and manipulating Windows system services.
- The malware resolves and adjusts 257 Windows API addresses across 16 modules to function correctly in different environments.
- Fortinet protects customers through anti-botnet DNS blocking, malicious TLS certificate blocking, and web filtering services targeting the C2 infrastructure.
- The incident response team leveraged a 33GB full memory dump to recreate the environment for in-depth malware behavior analysis and dissection.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The threat actor executed batch and PowerShell scripts to run the malware in a Windows process (“The threat actor had executed a batch of scripts and PowerShell to run the malware”).
- [T1047] Windows Management Instrumentation – The malware runs within a legitimate Windows process, dllhost.exe, to evade detection (“The malware was running within a dllhost.exe process with PID 8200”).
- [T1105] Ingress Tool Transfer – Malware loads and copies a dumped payload into allocated memory spaces using VirtualAlloc() within dllhost.exe (“we manually executed some instructions to allocate memory for deploying the dumped malware”).
- [T1027] Obfuscated Files or Information – The malware’s DOS and PE headers were corrupted with zeros to evade reconstruction and analysis (“both the DOS and PE headers are corrupted, making it difficult to reconstruct the entire executable”).
- [T1071.001] Application Layer Protocol: Web Protocols – The malware communicates with the C2 server via HTTPS (TLS on port 443) (“The malware then establishes communication with its C2 server… over the TLS protocol”).
- [T1113] Screen Capture – The malware captures screenshots and exfiltrates them to its C2 server using GDI+ APIs (“The malware has a feature that captures the victim’s screen as JPEG images and exfiltrates them”).
- [T1050] New Service – The malware manipulates system services via SCM APIs to control the infected machine (“It achieves this by leveraging several Windows Service Control Manager (SCM) APIs”).
- [T1569.002] System Services: Service Execution – The malware acts as a multi-threaded server, listening on TCP ports to allow attacker connections (“malware includes a thread function designed to act as a server, listening on a TCP port”).
Indicators of Compromise
- [URL] C2 server domain used for malicious communication – rushpapers.com/ws/
- [File Hash (SHA256)] malware sample hash extracted from memory – F3EB67B8DDAC2732BB8DCC07C0B7BC307F618A0A684520A04CFC817D8D0947B9
Views: 24