Full Report
Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file, providing information about the executable. While the DOS header makes the executable file backward compatible
Analysis Summary
# Tool/Technique: Unknown Windows Remote Access Trojan (RAT) with PE Header Corruption
## Overview
This is an unknown Remote Access Trojan (RAT) observed in the wild that utilizes heavily corrupted DOS and PE headers within its executable structure to evade detection and complicate forensic analysis. The malware was found running within a `dllhost.exe` process on a compromised Windows machine.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (64-bit PE file)
- Capabilities: Remote control execution, C2 communication (TLS), screenshot capture, system service enumeration/manipulation, multi-threaded socket architecture for concurrent attacker sessions.
- First Seen: Prior to May 29, 2025 (observed running for several weeks before discovery).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by TLS communication)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Used for initial execution method alongside batch scripts)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1027.004 - Compiled Code Cave (Implied by rebuilding payload from memory dump)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Implied by RAT functionality)
## Functionality
### Core Capabilities
- **Remote Access:** Functions as a full-fledged RAT, turning the compromised host into a remote access platform.
- **Multi-threaded Communication:** Implements a multi-threaded socket architecture, spawning a new thread for each incoming attacker connection to handle concurrent sessions efficiently.
- **C2 Communication:** Establishes contact with its Command and Control server over the TLS protocol.
### Advanced Features
- **Header Corruption for Evasion:** Deliberately corrupts the DOS and PE headers of the executable file. This serves as a significant roadblock for static analysis tools that rely on these standard structures for parsing and reconstruction, allowing the malware to evade detection for extended periods.
- **In-Memory Decryption:** Decrypts C2 domain information directly within memory after execution.
- **Post-Execution Behavior:** After spawning the communication thread to handle C2 activity, the main thread enters a sleep state until the communications thread completes execution.
- **System Interaction:** Capable of capturing screenshots and enumerating/manipulating system services.
## Indicators of Compromise
- File Hashes: N/A (Malware not extracted)
- File Names: Deployed/Observed running within the **`dllhost.exe`** process.
- Registry Keys: N/A
- Network Indicators: C2 Server: `rushpapers[.]com`
- Behavioral Indicators: Observed execution initiated via a batch script and PowerShell, followed by memory operations bypassing reliance on the corrupted PE structure.
## Associated Threat Actors
- Unknown at time of reporting.
## Detection Methods
- Signature-based detection: Likely evaded due to header corruption, requiring memory-based signatures or machine learning models.
- Behavioral detection: Monitoring for anomalous persistence mechanisms (scripts leading to RAT execution) and unexpected network connections from standard processes like `dllhost.exe` over TLS to external domains.
- YARA rules: Need to be developed based on unique decrypted strings or memory injection patterns, rather than file headers.
## Mitigation Strategies
- **Process Monitoring:** Implement strict monitoring and alerting on legitimate system processes (like `dllhost.exe`) spawning unexpected network connections or modifying system services.
- **Memory Forensics:** Ensure memory capture and analysis capabilities are robust, as static analysis will fail against this type of file structure.
- **Execute Prevention:** Restrict execution via batch scripts or PowerShell where possible, especially for suspicious payloads.
- **Network Filtering:** Block/monitor traffic to known malicious C2 domains like `rushpapers[.]com`.
## Related Tools/Techniques
- Techniques using deliberately malformed or missing PE headers to confuse loaders and analysis tools.
- Other sophisticated Windows RATs capable of multi-threaded remote administration.