A new and sophisticated malware campaign has been discovered, using a remote access trojan (RAT) called PureRAT to silently compromise Windows systems.
What makes this campaign stand out is how cleverly it hides malicious code inside ordinary-looking PNG image files.
Once the infection takes hold, the malware runs entirely in memory, leaving almost no traces on disk and making it difficult for traditional security tools to detect it.
This technique, known as fileless execution, reflects a growing shift in how threat actors deliver malware while staying hidden.
PureRAT is built around a multi-stage infection chain. The attack begins with a malicious .lnk file, a Windows shortcut that most users trust because it resembles files used to open regular applications.
When a victim opens this shortcut, a concealed PowerShell command launches silently without the user’s knowledge. This command contacts a remote server and retrieves a PNG image holding the malicious payload, embedded using steganography.
To the naked eye, the image looks completely normal, but hidden inside is a Base64-encoded portable executable (PE) file ready to be decoded and loaded into system memory.
Trellix analysts and researchers identified and analyzed this campaign, noting the multi-layered obfuscation techniques used throughout the infection chain.
They found the PowerShell-based second-stage loader is heavily obfuscated, with junk data added at both ends to mislead researchers and evade automated analysis.
Trellix also noted the malware checks for VMware and QEMU environments to detect virtual analysis sandboxes, immediately terminating if found.
.webp)
Once fully deployed, PureRAT performs host fingerprinting, gathering details on installed security products, hardware identifiers, and user privileges.
It bypasses user account control (UAC) via cmstp.exe and uses process hollowing into the legitimate msbuild.exe binary to run malicious code under a trusted Windows process.
The malware connects to a command-and-control (C2) server with a dynamic listener for incoming tasking, allowing operators to deploy plugins for keylogging, monitoring, or remote desktop access.
.webp)
Persistence is maintained through a scheduled task in the Windows registry, ensuring re-execution on the infected system.
How the Infection Mechanism Works
The core of PureRAT’s method combines image steganography with in-memory payload delivery. After the .lnk file triggers the hidden PowerShell command, the script downloads a PNG file from the attacker’s server.
This image contains a Base64-encoded PE file hidden within it. The script identifies the payload’s start and end indices, extracts it, applies a character replacement, reverses the data, Base64 decodes it, and converts it into a byte array.
.webp)
This byte array loads directly into memory as a compiled .NET assembly using System.Reflection.Assembly Load().
All malicious operations run inside PowerShell process memory, so the original msbuild.exe binary on disk stays untouched and retains its status as a signed, legitimate Windows file, allowing PureRAT to evade file-scanning detection.
The .NET DLL inside GeneratedPy.png serves as the next-stage loader, protected by .NET Reactor obfuscation.
Its Main function invokes a Triple DES decryption routine, sourcing the key and initialization vector from Base64-encoded strings within the file.
.webp)
After decryption, the bytes execute as a .NET assembly in memory, completing a fully fileless delivery chain. Organizations should take the following steps to reduce exposure to threats like PureRAT:-
- Harden endpoint security with strict execution policies for PowerShell and VBS scripts, and configure protection to detect in-memory activities like Process Hollowing and Reflective Code Loading.
- Monitor and restrict use of built-in Windows binaries such as cmstp.exe and msbuild.exe, which are abused in this attack chain.
- Block known C2 domains and IP addresses using threat intelligence feeds and monitor traffic for connections on non-standard ports.
- Apply security patches regularly to close gaps that attackers exploit during initial access.
- Train users to recognize the risks of opening unexpected .lnk shortcut files or email attachments, even those appearing to come from trusted sources.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New PureRAT Campaign Hides PE Payloads in PNG Files and Executes Them Filelessly appeared first on Cyber Security News.