Cybersecurity researchers from Fortinet have unveiled a sophisticated cyber attack involving a new strain of malware capable of evading detection by manipulating its file structure. According to their findings, the malware leverages corrupted DOS and PE headers to challenge forensic analysis while maintaining functionality.
The DOS and PE headers, essential components of Windows executable files, typically provide crucial information for their execution by the operating system. Researchers Xiaopeng Zhang and John Simmons explained, “We discovered malware that had been running on a compromised machine for several weeks,” highlighting the effective concealment techniques employed by the threat actor.
Despite the malware’s complexity, Fortinet successfully analyzed the situation by obtaining memory dumps from the infected machine, although the actual malware code remains elusive. The malware operates within a dllhost.exe process as a 64-bit PE file, aiming to complicate efforts to identify and dismantle its payload.
Once executed, this malware establishes a connection to a command-and-control (C2) server identified as rushpapers.com, indicating its potential as a remote access trojan (RAT). With capabilities such as taking screenshots and managing system services, the malware transforms the compromised system into a platform for further cyber assaults, as noted by Fortinet.