PureRAT Campaign Hides PE Payloads in PNG Files, Executes Filelessly
Key Takeaways A new PureRAT campaign is actively targeting Windows systems, employing advanced fileless techniques. The malware leverages steganography to conceal malicious PE payloads within...
Key Takeaways
- A new PureRAT campaign is actively targeting Windows systems, employing advanced fileless techniques.
- The malware leverages steganography to conceal malicious PE payloads within seemingly innocuous PNG image files.
- Initial infection typically starts with a malicious .lnk shortcut file, leading to in-memory execution and evasion of traditional endpoint detection.
- The threat actor maintains persistence via scheduled tasks and employs process hollowing into legitimate Windows binaries like msbuild.exe.
- Defenders should implement strict execution policies for scripting engines, monitor for in-memory activities, and educate users about suspicious shortcut files.
Cybersecurity researchers have uncovered a sophisticated new campaign deploying PureRAT, a remote access trojan (RAT), designed to surreptitiously compromise Windows operating systems. This particular operation distinguishes itself through its ingenious method of embedding malicious code within standard PNG image files, effectively bypassing conventional security measures.
Table Of Content
Once activated, the malware operates entirely within system memory, leaving minimal traces on disk. This fileless execution strategy significantly complicates detection by traditional endpoint security tools, highlighting a growing trend among threat actors to adopt more evasive tactics.
PureRAT’s Multi-Stage Infection Chain
The PureRAT attack unfolds through a carefully orchestrated multi-stage infection process. It typically commences with a malicious .lnk file, a Windows shortcut often mistaken by users for legitimate application launchers. Upon execution of this shortcut, a hidden PowerShell command is silently initiated without the user’s awareness. This command then establishes contact with a remote server to retrieve a PNG image, which covertly harbors the malicious payload through steganography.
To the casual observer, the downloaded image appears entirely normal. However, embedded within its data is a Base64-encoded portable executable (PE) file, poised for decoding and direct loading into system memory.
Analysts at Trellix were instrumental in identifying and dissecting this campaign, emphasizing the intricate, multi-layered obfuscation techniques employed throughout the attack chain. Their research revealed that the PowerShell-based second-stage loader is heavily obfuscated, incorporating extraneous data to confuse researchers and evade automated analysis tools. Trellix also observed that the malware includes checks for virtual environments like VMware and QEMU, designed to detect and terminate execution if it identifies a sandbox analysis environment.
Upon successful deployment, PureRAT initiates host fingerprinting, collecting critical system information such as installed security products, hardware identifiers, and user privilege levels. It bypasses User Account Control (UAC) using the legitimate cmstp.exe binary and employs process hollowing into msbuild.exe. This technique allows the malicious code to run under the guise of a trusted Windows process, further enhancing its stealth.
The RAT then connects to a command-and-control (C2) server, which maintains a dynamic listener for incoming instructions. This enables the attackers to deploy various plugins, facilitating activities like keylogging, system monitoring, or remote desktop access. Persistence on the compromised system is ensured through the creation of a scheduled task within the Windows registry, guaranteeing the malware’s re-execution.
How the Infection Mechanism Works
At the core of PureRAT’s operational methodology is the fusion of image steganography with in-memory payload delivery. Following the activation of the hidden PowerShell command by the .lnk file, the script downloads a PNG image from the attacker’s infrastructure. This image contains a Base64-encoded PE file meticulously concealed within its structure.
The script then precisely identifies the payload’s start and end indices, extracts it, performs a character replacement, reverses the data, decodes it from Base64, and finally converts it into a byte array. This byte array is subsequently loaded directly into memory as a compiled .NET assembly using System.Reflection.Assembly.Load().
Crucially, all malicious operations are executed within the PowerShell process memory. This ensures that the original msbuild.exe binary on disk remains unaltered and retains its legitimate Windows file signature, enabling PureRAT to circumvent file-scanning detections. The .NET DLL, found inside a file named GeneratedPy.png, functions as the subsequent stage loader and is protected by .NET Reactor obfuscation.
Its Main function triggers a Triple DES decryption routine, sourcing the necessary key and initialization vector from Base64-encoded strings embedded within the file. Once decrypted, these bytes are executed as another .NET assembly in memory, thereby completing a fully fileless delivery chain.
What You Should Do
- Harden Endpoint Security: Implement stringent execution policies for PowerShell and VBS scripts. Configure endpoint protection platforms to detect and block in-memory activities such as Process Hollowing and Reflective Code Loading.
- Monitor and Restrict Abused Binaries: Actively monitor and, where possible, restrict the use of built-in Windows binaries like cmstp.exe and msbuild.exe, which are frequently exploited in advanced attack chains.
- Implement Network Defenses: Block known C2 domains and IP addresses using up-to-date threat intelligence feeds. Monitor network traffic for unusual connections, especially those on non-standard ports.
- Maintain Patch Hygiene: Regularly apply security patches and updates to operating systems and all software to mitigate vulnerabilities that attackers could exploit for initial access.
- Conduct User Awareness Training: Educate users on the dangers of opening unexpected .lnk shortcut files or email attachments, even if they appear to originate from trusted sources. Emphasize verification procedures before clicking on suspicious links or files.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.