Security Experts:

Connect with us

Hi, what are you looking for?



Nation-State Actors Use Fileless Tricks to Deliver RATs

State-sponsored threat actors in Asia have been leveraging a new technique to deliver remote access Trojans (RATs) without being detected by security products.

State-sponsored threat actors in Asia have been leveraging a new technique to deliver remote access Trojans (RATs) without being detected by security products.

According to endpoint security company SentinelOne, the method used by these threat groups enables them to inject the RAT payload into memory and avoid detection by antiviruses and even modern technologies that only focus on file-based threats.

In the attacks analyzed by researchers, some files had been written to the disk, but the malicious payload never touched the disk in an unencrypted state.

Joseph Landry, senior security researcher at SentinelOne, told SecurityWeek that nation-state actors from multiple Asian countries have used this technique. The expert said that while these attacks appear to be mostly contained within Asia, there is a possibility that the method is used in other parts of the world against both governments and enterprises.

SentinelOne has detailed an attack involving a known RAT named NanoCore (aka Nancrat), which allows attackers to spy on victims. However, experts pointed out that the technique can be used to deliver any other RAT.

When first executed on a system, the malware creates two binaries in the %APPDATA% folder and executes them. A registry key pointing to one of these files is created for persistence.

An encrypted DLL responsible for unpacking and injecting the RAT is decrypted and copied into memory. The settings for this DLL and the NanoCore executable itself are encrypted and stored across multiple PNG image files as pixel data.

Data hidden in pixels

Once all components are decrypted, the NanoCore payload is injected into a new process using various Win32 API and system calls. A detailed description of the infection method is available on SentinelOne’s blog.

Fileless infection techniques have been observed in many types of attacks, including ones involving exploit kits, ransomware, and click-fraud malware.

Related: Malicious Document Builder Used in East Asia APT Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The U.S. government is set to green-light a more aggressive ‘hack-back’ approach to dealing with foreign adversaries and mandatory regulation of critical infrastructure vendors.


The United States blacklisted six Chinese entities it said were linked to Beijing's aerospace programs as part of its retaliation over an alleged Chinese...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.