- LG is giving away free 27-inch gaming monitors, but this is the last day to grab one
- I tested this Eufy security camera and can't go back to grainy night vision
- Your Ray-Ban Meta smart glasses just got two significant upgrades for free - what they do
- I found a Bluetooth tracker for Android users that works better than AirTags (and is cheaper)
- Learn with Cisco at Cisco Live 2025 in San Diego
Malware Analysis Reveals Sophisticated RAT With Corrupted Headers
A newly uncovered remote access Trojan (RAT) that operated for weeks on a compromised system has been discovered and analyzed by security researchers.
According to Fortinet’s FortiGuard Incident Response Team, the malware, which ran within a legitimate Windows process, used advanced evasion techniques to make recovery and inspection more difficult.
In-Memory Only Malware with Corrupted Headers
The malware was discovered running inside the dllhost.exe process under PID 8200.
Its Portable Executable (PE) and DOS headers, crucial for identifying and reconstructing malware files, had been deliberately corrupted to hinder traditional analysis methods. Fortinet could only proceed using a full 33 GB memory dump from the infected machine.
To investigate, the team recreated the compromised environment, loading the malware into a debugged dllhost.exe process.
Locating the entry point required manual work since traditional header information was unavailable. The entry was eventually found at memory address 0x1C3EEFEE0A8.
API Mapping, Decryption and Command-and-Control
Because the malware relied on over 250 Windows APIs spread across 16 modules, each had to be manually relocated and corrected for local execution. Required libraries not automatically loaded were manually injected using LoadLibraryA() or LoadLibraryW().
Once running, the malware decrypted its command-and-control (C2) server information, domain rushpapers.com and port 443, from memory.
Using SealMessage() and DecryptMessage(), it encrypted and decrypted data packets before and after TLS transmission. The decrypted payloads revealed system information such as “OS: Windows 10 / 64-bit (10.0.19045)”.
Encrypted traffic relied on a custom XOR-based algorithm. A randomly generated key was used for each transmission, adding an additional layer of obfuscation.
Features Confirm Advanced RAT Capabilities
The malware supports several powerful features:
-
Screenshot capture: Taking periodic JPEG images of the victim’s screen and logs active window titles
-
Remote server mode: Opening a TCP port to accept incoming attacker connections via multi-threaded socket handling
-
Service control: Enumerating and controlling system services using native Windows APIs
Through dynamic analysis in a controlled environment, Fortinet confirmed this RAT’s full functionality despite its stealthy deployment and obfuscation techniques.
To effectively defend against sophisticated threats like this, organizations should implement targeted security measures. This includes enhanced monitoring of legitimate processes to detect unusual behavior, utilizing memory analysis tools for in-memory malware detection and auditing API usage to identify suspicious activities.
Additionally, deploying network traffic analysis tools can help spot anomalies in outbound connections, while user education on social engineering tactics is crucial for preventing initial infections.
Image credit: Framalicious / Shutterstock.com
