The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks. What makes this malware different from others is its deliberate corruption of its own DOS and PE headers, a method designed to obstruct forensic analysis and reconstruction efforts by security researchers.
Despite this challenge, Fortinet’s team successfully obtained a memory dump of the live malware process, housed in a dllhost.exe process (PID 8200), along with a complete 33GB memory dump of the compromised system.
By carefully replicating the compromised environment, Fortinet’s researchers were able to bring the dumped malware back to life in a controlled setting, allowing them to observe its operations and communication patterns.
Bringing Corrupted Malware Back Online
Without its DOS and PE headers, the malware could not be simply loaded and executed like a normal Windows binary. The research team had to manually identify the malware’s entry point, allocate memory, and resolve API addresses that differed between the compromised system and the test environment. Through repeated debugging, address relocation, and parameter adjustments, they were finally able to emulate the malware’s behaviour in a lab setting.
According to Fortinet’s blog post shared with Hackread.com ahead of its publishing on Thursday, once operational, the malware revealed its communication with a command-and-control (C2) server at rushpaperscom over port 443, using TLS encryption.
Fortinet analysts traced the malware’s use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic. They also identified an additional layer of custom encryption that wrapped specific data packets before applying TLS, further complicating traffic inspection.
What the Malware Can Do
Fortinet’s analysis confirms that the malware operates as a Remote Access Trojan (RAT), providing the attacker with several powerful features:
- Screen capture: The malware takes periodic screenshots, compresses them as JPEGs, and sends them to the C2 server along with the titles of active windows.
- Remote server functionality: The malware sets up a listening TCP port, allowing attackers to connect directly and issue commands or deploy additional attacks.
- System service control: By interfacing with the Windows Service Control Manager, the malware can enumerate, manipulate, and potentially disrupt critical system services on the infected machine.
How the Attack Works
The initial infection relied on batch scripts and PowerShell to launch the malware, embedding it into a Windows process. Once running, the malware fetched the C2 server’s domain information from encrypted memory, established a secure connection, and began exfiltrating system details.
During traffic analysis, Fortinet captured decrypted WebSocket requests and responses, uncovering how the malware collects and reports system information, including OS version and architecture.
Interestingly, the malware’s encryption scheme uses a randomly generated key for XOR-based scrambling of packet data before it is handed off for TLS encryption. This extra layer adds protection against simple network-based detection, forcing researchers to rely on endpoint inspection or memory-level analysis to catch malicious activity.
