Full Report
Fortinet has identified a new Windows RAT operating stealthily on compromised systems with advanced evasion techniques
Analysis Summary
# Tool/Technique: Sophisticated Remote Access Trojan (RAT) with Corrupted Headers
## Overview
A newly discovered Remote Access Trojan (RAT) analyzed by Fortinet's FortiGuard Incident Response Team. This malware exhibited advanced evasion techniques, operating solely in memory within a legitimate Windows process (`dllhost.exe`), and deliberately corrupted its Portable Executable (PE) and DOS headers to frustrate traditional forensic analysis.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Windows
- Capabilities: In-memory execution, advanced evasion via header corruption, API mapping, decryption, and Command-and-Control (C2) communication.
- First Seen: Unknown (Active for weeks on the compromised system prior to discovery/analysis).
## MITRE ATT&CK Mapping
This summary is derived from the analysis of the malware's behavior, focusing on known RAT activities:
- **TA0005 - Defense Evasion**
- **T1055 - Process Injection** (Implied, as it runs within `dllhost.exe` and relies on in-memory techniques)
- **T1027 - Obfuscated Files or Information**
- **T1027.004 - Compilation to Native Code** (The nature of the PE corruption suggests manipulation at this level)
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Implied by C2 communication)
- **TA0002 - Execution**
- **T1218 - Signed Binary Proxy Execution** (Implied by execution within `dllhost.exe`)
## Functionality
### Core Capabilities
- **In-Memory Execution:** Operates entirely in system memory, increasing difficulty in static detection and analysis.
- **Header Corruption:** Deliberately corrupted PE and DOS headers to prevent standard binary analysis tools from easily identifying the file structure or locating the entry point.
- **API Resolution:** Relied on mapping over 250 Windows APIs spread across 16 distinct modules, suggesting complex operational flow and dynamic loading.
- **Decryption:** Involved decryption routines, necessary to access the true payload or configuration data held in memory.
### Advanced Features
- **Deep Evasion:** The combination of running inside a legitimate process (`dllhost.exe`), in-memory operation, and header corruption represents a highly sophisticated method of hiding execution from security tooling.
- **Manual Entry Point Discovery:** Analysis required advanced memory forensics (using a 33 GB memory dump) to manually locate the malware's execution entry point (found at memory address `0x1C3EEFEE0A8`).
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: Base C2 information was not explicitly detailed, only that C2 communication existed. (Defanged: Requires further external research)
- Behavioral Indicators: Execution observed within the `dllhost.exe` process under PID 8200.
## Associated Threat Actors
- [Not explicitly named in the provided text, but associated with unknown actors who employ sophisticated memory-based evasion.]
## Detection Methods
- **Signature-based detection:** Traditional file-based signatures would likely fail due to header corruption/in-memory nature.
- **Behavioral detection:** Monitoring for dynamic API resolution across numerous modules, suspicious memory manipulation within legitimate processes like `dllhost.exe`, and unusual network callbacks from those processes.
- **Memory Forensics:** Essential for investigation, requiring full memory dumps for analysis to reconstruct the executable structure.
- **YARA rules:** [Not provided in context]
## Mitigation Strategies
- **Memory Protection:** Implement controls to prevent unauthorized code execution in memory space of trusted processes.
- **Process Monitoring:** Strict monitoring and whitelisting for processes executing sensitive code paths, especially for legitimate binaries like `dllhost.exe`.
- **Advanced Endpoint Detection and Response (EDR):** Use EDR solutions capable of deep memory scanning and behavioral analysis to catch in-memory threats.
- **Secure Configuration:** Ensure systems are configured to prevent execution artifacts from being written to disk if analysis relies on detecting file structure.
## Related Tools/Techniques
- Fileless Malware / In-Memory Attacks
- Highly obfuscated malware utilizing dynamic API resolution.