Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
New technique allows Trojans to remain in memory to evade detection
#1
[Image: Trojan-600x338.jpg]
Trojan horse

Remote access Trojans (RATs) have been used for many years to allow attackers to gain access to and take control of user’s systems.

Usually RATs are delivered when a user opens an email attachment or downloads a file from a website or peer-to-peer network. This involves direct delivery of the payload which makes detection easier.

Researchers at security company SentinelOne have uncovered a more sophisticated delivery technique that ensures that the payload file remains in memory through its execution, never touching the disk in a de-encrypted state.

This lets the attack stay hidden from conventional antivirus technologies. Samples analyzed also have the ability to detect virtual machines and ensure they're not running in a sandbox. What's interesting is that while the delivery method is new, the Trojan isn't, the technique can be use to deliver any RAT to a user's system.

SentinelOne researcher Joseph Landry writing on the company's blog says, "We analyzed this sample against our SentinelOne EPP to confirm it does not evade our behavior-based detection mechanisms. This is due to the fact that we're monitoring all processes at the user-space/kernel-space interface -- and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points".

You can find out more about the attack and how it works on the SentinelOne blog.
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New malware DarkWatchman uses Windows Registry to evade detection mrtrout 0 1,082 12-25-2021 , 12:23 AM
Last Post: mrtrout
  Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique mrtrout 0 778 06-17-2021 , 08:34 PM
Last Post: mrtrout
  Malicious apps on Google Play dropped banking Trojans on user devices Bjyda 0 1,283 03-10-2021 , 12:17 AM
Last Post: Bjyda
  CompuCom Hit With Malware As MSPs Remain Under Siege Bjyda 0 789 03-05-2021 , 12:32 AM
Last Post: Bjyda
  Maze ransomware now encrypts via virtual machines to evade detection mrtrout 0 897 09-19-2020 , 08:30 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)