New technique allows Trojans to remain in memory to evade detection

Remote access Trojans (RATs) have been used for many years to allow attackers to gain access to and take control of user’s systems.

Usually RATs are delivered when a user opens an email attachment or downloads a file from a website or peer-to-peer network. This involves direct delivery of the payload which makes detection easier.

Researchers at security company SentinelOne have uncovered a more sophisticated delivery technique that ensures that the payload file remains in memory through its execution, never touching the disk in a de-encrypted state.

This lets the attack stay hidden from conventional antivirus technologies. Samples analyzed also have the ability to detect virtual machines and ensure they're not running in a sandbox. What's interesting is that while the delivery method is new, the Trojan isn't, the technique can be use to deliver any RAT to a user's system.

SentinelOne researcher Joseph Landry writing on the company's blog says, "We analyzed this sample against our SentinelOne EPP to confirm it does not evade our behavior-based detection mechanisms. This is due to the fact that we're monitoring all processes at the user-space/kernel-space interface -- and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points".

You can find out more about the attack and how it works on the SentinelOne blog.

Image credit: wk1003mike / Shutterstock