Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet.
The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file, providing information about the executable.
While the DOS header makes the executable file backward compatible with MS-DOS and allows it to be recognized as a valid executable by the operating system, the PE header contains the metadata and information necessary for Windows to load and execute the program.
“We discovered malware that had been running on a compromised machine for several weeks,” researchers Xiaopeng Zhang and John Simmons from the FortiGuard Incident Response Team said in a report shared with The Hacker News. “The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process.”
Fortinet said while it was unable to extract the malware itself, it acquired a memory dump of the running malware process and a full memory dump of the compromised machine. In a statement shared with the publication, the company said that it observed the behavior in a single incident involving ransomware activity and that the threat was neutralized before any ransomware could be deployed.
“The threat actor gained initial access through remote access infrastructure and attempted to distribute malware using a PowerShell script executed via PsExec, however the script itself was not recovered during the investigation,” it added.
The malware, running within a dllhost.exe process, is a 64-bit PE file with corrupted DOS and PE headers in a bid to challenge analysis efforts and reconstruct the payload from memory.
Despite these roadblocks, the cybersecurity company further noted that it was able to take apart the dumped malware within a controlled local setting by replicating the compromised system’s environment after “multiple trials, errors, and repeated fixes.”
The malware, once executed, decrypts command-and-control (C2) domain information stored in memory and then establishes contact with the server (“rushpapers[.]com”) in a newly created thread.
“After launching the thread, the main thread enters a sleep state until the communication thread completes its execution,” the researchers said. “The malware communicates with the C2 server over the TLS protocol.”
Further analysis has determined the malware to be a remote access trojan (RAT) with capabilities to capture screenshots; enumerate and manipulate the system services on the compromised host; and even act as a server to await incoming “client” connections.
“It implements a multi-threaded socket architecture: each time a new client (attacker) connects, the malware spawns a new thread to handle the communication,” Fortinet said. “This design enables concurrent sessions and supports more complex interactions.”
“By operating in this mode, the malware effectively turns the compromised system into a remote-access platform, allowing the attacker to launch further attacks or perform various actions on behalf of the victim.”
