State-sponsored threat actors in Asia have been leveraging a new technique to deliver remote access Trojans (RATs) without being detected by security products.
According to endpoint security company SentinelOne, the method used by these threat groups enables them to inject the RAT payload into memory and avoid detection by antiviruses and even modern technologies that only focus on file-based threats.
In the attacks analyzed by researchers, some files had been written to the disk, but the malicious payload never touched the disk in an unencrypted state.
Joseph Landry, senior security researcher at SentinelOne, told SecurityWeek that nation-state actors from multiple Asian countries have used this technique. The expert said that while these attacks appear to be mostly contained within Asia, there is a possibility that the method is used in other parts of the world against both governments and enterprises.
SentinelOne has detailed an attack involving a known RAT named NanoCore (aka Nancrat), which allows attackers to spy on victims. However, experts pointed out that the technique can be used to deliver any other RAT.
When first executed on a system, the malware creates two binaries in the %APPDATA% folder and executes them. A registry key pointing to one of these files is created for persistence.
An encrypted DLL responsible for unpacking and injecting the RAT is decrypted and copied into memory. The settings for this DLL and the NanoCore executable itself are encrypted and stored across multiple PNG image files as pixel data.
Once all components are decrypted, the NanoCore payload is injected into a new process using various Win32 API and system calls. A detailed description of the infection method is available on SentinelOne’s blog.
Fileless infection techniques have been observed in many types of attacks, including ones involving exploit kits, ransomware, and click-fraud malware.
Related: Malicious Document Builder Used in East Asia APT Attacks