Close Menu
Monday, July 7
Editor's Picks

A New Windows RAT is Slipping Past Defenses: Here’s What You Need to Know

2 Mins Read

A new Windows Remote Access Trojan (RAT) has emerged, causing concern across the cybersecurity landscape due to its ability to hide from traditional security tools. First uncovered by Fortinet and reported by The Hacker News, this RAT uses a clever trick: it corrupts key parts of its executable files, making them hard to detect and analyze.

Why This RAT Stands Out

What sets this RAT apart is how it messes with the DOS (Disk Operating System) and PE (Portable Executable) headers of its executable file. These headers are usually critical for security products to identify and scan files properly. By tampering with these headers, the RAT effectively blindsides many detection solutions, giving it a way to persist unnoticed.

How It Works

  • Deployment: Attackers use batch files and PowerShell commands to deploy the RAT. Tools like PsExec—a legitimate admin utility—are often abused in the process.
  • Process Injection: Once running, the RAT injects itself into dllhost.exe, a trusted Windows process that’s normally harmless, making it even more difficult to spot.
  • Encrypted Traffic: The RAT communicates with its command-and-control (C2) server, rushpapers[.]com, over TLS-encrypted channels, adding another layer of stealth.
  • Functionality: It’s more than just a remote access tool. It can grab screenshots, manage system services, and even turn the infected system into a server to accept new connections.

Key Indicators to Watch For

  • C2 Domain: rushpapers[.]com
  • Malicious Process: dllhost.exe
  • Execution Tactics: Batch scripts, PowerShell, and PsExec abuse

Defensive Steps to Take

  1. Proactive Hunting: Look for unusual activity in dllhost.exe and connections to unfamiliar domains, especially involving encrypted traffic.
  2. Strengthen Endpoint Security: Ensure your EDR solutions are updated and can detect behavioral anomalies, not just file signatures.
  3. Monitor Admin Tool Usage: Lock down access to tools like PsExec and limit PowerShell use to trusted scripts.
  4. User Education: Remind employees to watch for phishing emails, since these are often the entry point for malware like this.

Conclusion

This new RAT is a reminder that attackers are getting more creative. Relying solely on traditional signature-based detection isn’t enough anymore. A layered defense approach—combining threat hunting, robust EDR, and user awareness—will help keep our environment secure.

For full details, check out the original report here: The Hacker News Article on the New RAT.

Stay safe, stay vigilant!

Share.

Related Posts