According to the researchers of the cyber security company SentinelOne, cybercriminals started using a new technique to spread Trojans remote access to bypass security solutions. The method used by the attackers allows them to download a payload into memory and bypass the anti-virus software and modern technology that can detect only threats, based on the files. The new method consists in that during the execution of the malicious payload (file) is in the memory and does not interact with the disk in an unencrypted form. The researchers stressed that the new are not the Trojans to remotely access and detection of intruders used workaround. As the cyber security company, SentinelOne analyzed the method of infection by the example of Trojan NanoCore, but it is also suitable for other well-known RAT. After running on a system, the malware copies itself to the victim in the “% APPDATA% \ Microsoft \ Blend \ 14.0 \ FeedCache \ nvSCPAPISrv.exe”, extracts the second “PerfWatson.exe” code and performs both codes. Encrypted dynamic link library (DDL), is responsible for unpacking and implementation of RAT, decrypted and copied to the memory. Settings for DDL and of the executable code NanoCore encrypted stored in several PNG-files in the form of pixel data. After decoding of all components of the payload of a Trojan is embedded in a new process using the “Win32 API”. The method described by the researchers evade detection and has been successfully used by cybercriminals during the sponsored attacks by the governments on the institutions in Asia.
Δ