Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Asian Nation-State hackers use fileless RAT for their hacking campaign

State-sponsored actors in Asia have been leveraging fileless RAT for their hacking campaigns in order to avoid the detection. Security experts from SentinelOne spotted nation-state actors in Asia running espionage campaigns relying on fileless Remote Access Trojan. The state-sponsored hackers were injecting the RAT payload directly into the memory of the target host in order to […]

China-linked APT Salt Typhoon

State-sponsored actors in Asia have been leveraging fileless RAT for their hacking campaigns in order to avoid the detection.

Security experts from SentinelOne spotted nation-state actors in Asia running espionage campaigns relying on fileless Remote Access Trojan. The state-sponsored hackers were injecting the RAT payload directly into the memory of the target host in order to avoid detection by security solutions.

“Recently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs.  This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.” read the blog post published by SentinelOne.

“In doing so, the attacker can remain out of view from antivirus technologies, and even ‘next-generation’ technologies that only focus on file-based threat vectors.”

According to the experts at SentinelOne, the technique is widely adopted by several state-sponsored hackers from multiple Asian countries.

The researchers are warning about the possibility that other threat actors across the world can exploit the same technique in their hacking campaigns.

SentinelOne has published a detailed analysis of the attacks leveraging on the fileless RAT dubbed NanoCore (aka Nancrat).

“When run, the binary will copy itself to

%APPDATA%\Microsoft\Blend\14.0\FeedCache\nvSCPAPISrv.exe 

and extracts a second binary named PerfWatson.exe”

In order to maintain the persistence, the RAT use a registry key pointing to one of the above binaries.

“The RAT unpacking and injecting activities are implemented by using an encrypted DLL. The DLL settings and the NanoCore executable are encrypted and stored across multiple PNG image files as pixel data.” continues the analysis.

“The settings for “Benchmark” and the NanoCore executable are serialized, DES encrypted, spliced, and stored across multiple PNG files as pixel data. The PNG files are concatenated and stored in the .NET managed resources of the main executable.”

fileless RAT

 

Once all the components are decrypted, the payload is injected into a process in memory by using various Win32 API and system calls.

Experts believe that attacks relying on fileless malware will become even more popular among threat actors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – nation-state hackers, Fileless RAT)