GBHackers News reports that ordinary PNG images have been injected with portable executable payloads to facilitate the fileless execution of the PureRAT malware as part of a new multi-stage attack campaign.Intrusions commence with a malicious LNK file that executes a concealed PowerShell command and downloads a heavily obfuscated VBS file to circumvent detection before copying itself and establishing a Task Scheduler job for persistence, findings from Trellix researchers showed. Hardcoded domain connections are then established by a PowerShell loader to fetch a PNG file with a base64-encoded PE payload and another PNG file, whose decoded assembly is directly loaded into memory.Multiple VMware and QEMU virtual machine environment checks are then conducted before the activation of a .NET-based PureRAT payload, which moves to perform host fingerprinting and extensive device information gathering. Additional plugins have also allowed keylogging, on-demand credential theft, and remote desktop access. Such a threat should prompt organizations' security teams to be vigilant of suspicious LNK-initiated PowerShell activity, atypical cmstp.exe use, and recurring Task Scheduler creation, researchers said.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds