A recent cyberattack campaign has been identified that utilizes PureRAT malware to conceal malicious executable files within PNG images. This method of attack is particularly challenging for cybersecurity defenses due to its use of fileless execution techniques, which make detection and forensic analysis more difficult.
The attackers employ a combination of advanced techniques to maintain stealth on compromised systems. These include steganography to hide the payloads within image files, PowerShell-based loaders to execute the malware, and user account control (UAC) bypass methods. Additionally, the campaign uses process hollowing and anti-virtualization checks to avoid detection by security software.
The attack is initiated through a weaponized .LNK file, which serves as the entry point for the malicious payload. Once executed, the malware operates almost entirely in memory, reducing its footprint on the system and complicating detection efforts. This approach allows the attackers to execute their payloads without leaving traditional traces that security tools typically monitor.
The impact of this campaign is significant, as it poses a challenge to traditional security measures that rely on file-based detection. Organizations may find it difficult to detect and respond to such threats using conventional antivirus solutions, which are not designed to handle fileless malware effectively.
To mitigate the risks associated with this campaign, organizations should consider implementing advanced threat detection tools that can monitor for unusual behaviors and file activities. Additionally, educating employees about the dangers of opening suspicious files and links can help prevent initial infection vectors from being successful.
Source: https://www.trellix.com/blogs/research/purerat-fileless-utilizing-steganography-process-hollowing/