PureRAT Campaign Uses PNGs for Stealthy Fileless Attacks

Severity: High (Score: 61.5)

Sources: Cybersecuritynews, Gbhackers

Summary

A new malware campaign utilizing the PureRAT remote access trojan (RAT) has been identified, targeting Windows systems. This sophisticated attack hides malicious portable executable (PE) payloads within PNG image files, allowing for fileless execution that significantly complicates detection efforts. The campaign employs advanced techniques such as steganography, PowerShell-based loaders, UAC bypass, process hollowing, and anti-virtualization checks to evade security measures. The initial infection vector is a weaponized .LNK file that initiates the attack. As the malware operates entirely in memory, it leaves minimal traces on compromised systems, making forensic analysis challenging. Organizations using Windows systems are particularly vulnerable to this stealthy threat. The current status of the campaign indicates ongoing activity, with no specific mitigation strategies disclosed in the articles. Key Points: • PureRAT hides malicious payloads in PNG files for stealthy execution. • The malware operates entirely in memory, complicating detection and forensics. • Windows systems are primarily targeted, with ongoing campaign activity reported.

Key Entities

• Malware (attack_type)
• PureRAT campaign (campaign)
• PureRAT (malware)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1055.012 - Process Hollowing (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1497 - Virtualization/Sandbox Evasion (mitre_attack)
• T1548.002 - Bypass User Account Control (mitre_attack)
• Windows (platform)
• PowerShell (tool)