04-21-2016 , 10:25 PM
![[Image: Trojan-600x338.jpg]](http://betanews.com/wp-content/uploads/2015/10/Trojan-600x338.jpg)
Trojan horse
Remote access Trojans (RATs) have been used for many years to allow attackers to gain access to and take control of user’s systems.
Usually RATs are delivered when a user opens an email attachment or downloads a file from a website or peer-to-peer network. This involves direct delivery of the payload which makes detection easier.
Researchers at security company SentinelOne have uncovered a more sophisticated delivery technique that ensures that the payload file remains in memory through its execution, never touching the disk in a de-encrypted state.
This lets the attack stay hidden from conventional antivirus technologies. Samples analyzed also have the ability to detect virtual machines and ensure they're not running in a sandbox. What's interesting is that while the delivery method is new, the Trojan isn't, the technique can be use to deliver any RAT to a user's system.
SentinelOne researcher Joseph Landry writing on the company's blog says, "We analyzed this sample against our SentinelOne EPP to confirm it does not evade our behavior-based detection mechanisms. This is due to the fact that we're monitoring all processes at the user-space/kernel-space interface -- and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points".
You can find out more about the attack and how it works on the SentinelOne blog.
source