A sophisticated new malware strain has been discovered operating on Windows systems for weeks without detection, employing an advanced evasion technique that deliberately corrupts its Portable Executable (PE) headers to prevent traditional analysis methods.

The malware, identified during a recent incident investigation, represents a significant evolution in cyber threats targeting Microsoft Windows environments.

The malicious software was found embedded within a compromised system’s memory, having successfully evaded detection while maintaining persistent access for an extended period.

Security researchers discovered the threat after obtaining a comprehensive 33GB memory dump from an infected machine, revealing the malware’s presence within a dllhost.exe process running under process ID 8200.

The attack appears to have been deployed through a series of batch scripts and PowerShell commands, demonstrating the attackers’ sophisticated understanding of Windows system architecture.

Fortinet analysts identified this malware as a Remote Access Trojan (RAT) with extensive capabilities for system compromise and data exfiltration.

The researchers noted that obtaining the original malware executable proved challenging due to the threat’s advanced evasion mechanisms, necessitating complex memory forensics techniques to understand its functionality.

The malware’s deployment strategy involves corrupting critical file structure components that are typically essential for security analysis tools.

The discovery highlights a concerning trend in malware development, where threat actors are increasingly adopting sophisticated anti-analysis techniques to extend their operational lifespan on compromised systems.

This particular strain demonstrates capabilities including screenshot capture and transmission, remote server functionality for command and control operations, and comprehensive system service manipulation through Windows Service Control Manager APIs.

The malware’s ability to operate undetected while maintaining full system access represents a significant security concern for enterprise environments.

The threat’s command and control infrastructure utilizes encrypted communications, employing Windows security APIs such as SealMessage() and DecryptMessage() to secure data transmission between the compromised system and remote servers.

This encryption layer adds another dimension to the malware’s sophistication, making network-based detection more challenging for traditional security monitoring systems.

Advanced Header Corruption Evasion Technique

The malware’s most distinctive characteristic lies in its deliberate corruption of DOS and PE headers, a technique specifically designed to frustrate reverse engineering efforts.

When Windows loads a PE file into memory, it reads and parses these headers to properly deploy the executable. Once the file is loaded and running, these headers become unnecessary for continued operation, creating an opportunity for malicious actors to exploit this architectural characteristic.

Both the DOS and PE headers have been systematically overwritten with null bytes, creating regions of zeros where critical file structure information would normally reside.

This corruption makes it extremely difficult for security researchers to reconstruct the complete executable from memory dumps, as traditional tools rely on these headers to understand the file’s organization and entry points.

The researchers had to manually locate the malware’s entry point function, typically identified by the instruction “sub rsp, 28h” in 64-bit executables.

Through careful analysis using IDA Pro, they discovered eight instances of this instruction pattern and ultimately determined that the function at address 0x1C3EEFEE0A8 served as the actual entry point.

This manual reconstruction process demonstrates the significant analytical overhead imposed by this evasion technique.

Furthermore, the malware required complex import table resolution to function properly in the researchers’ controlled environment.

The threat dynamically calculates API addresses using XOR operations and indirect jumps, as shown in the code sequence at address 0x1C3EEEE1CE0, which ultimately resolves to legitimate Windows API functions like those exported from GDI32.dll at address 0x7FFD74224630.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.