PureRAT Unleashed: How Fileless Malware, Steganography, and Process Hollowing Evade 90% of AVs – A Deep Dive + Video

Listen to this Post

Featured Image

Introduction:

Fileless malware, steganographic payload delivery, and process hollowing form a devastating triad that minimizes on-disk artifacts and executes under the guise of trusted system processes. PureRAT exemplifies this evolution—a multi-stage remote access trojan that bypasses traditional signature-based defenses by hiding malicious PE payloads inside benign PNG images and injecting code into legitimate Windows binaries like Msbuild.exe.

Learning Objectives:

  • Understand PureRAT’s infection chain, from malicious .LNK files to PowerShell, VBS loaders, and stealthy persistence via Task Scheduler.
  • Learn to detect fileless execution and process hollowing using behavioral baselines, network detection rules, and kill chain correlation.
  • Implement hands-on mitigation and hunting techniques using Sysmon, PowerShell, network beacon analysis, and steganography detection tools.

You Should Know:

  1. Decoding the Infection Chain – From .LNK to Persistent Backdoor

The attack begins with a seemingly harmless shortcut (.LNK) file. When executed, it launches a hidden PowerShell command that fetches an obfuscated VBS loader. The VBS script runs entirely in memory and creates a scheduled task for persistence—no malicious executable ever touches the disk.

Step‑by‑step analysis & simulation (isolated lab only):

  • Extract the PowerShell command from a malicious .LNK using `strings` or a PowerShell one‑liner:
    Get-Content "malicious.lnk" -Encoding Byte | Select-Object -Skip 0x2000 | ForEach-Object { [bash]$_ } | Out-String
    
  • Simulate the loader behavior (educational):
    VBS in memory via PowerShell
    $vbsCode = 'CreateObject("WScript.Shell").Run "powershell -enc SQBFAFgAKAAiAGgAZQBsAGwAbwAiACkA", 0, False'
    Add-Type -Name "WSH" -Namespace "Scripting" -MemberDefinition '[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(...);'
    Note: Real malware uses reflective loading; monitor with Process Monitor.
    
  • Detect persistence via Task Scheduler:
    Get-ScheduledTask | Where-Object {$<em>.Actions.Execute -like "powershell" -or $</em>.Triggers -like "Logon"} | Format-List TaskName, Actions
    

Mitigation:

Enable PowerShell logging (ScriptBlock Logging, Module Logging) via Group Policy. Block unsigned VBS execution using `Set-ExecutionPolicy AllSigned` – but note that PureRAT uses obfuscation to bypass.

  1. Steganography Payload Extraction – Hiding Malware in Plain Sight

PureRAT embeds malicious PE executables within the least significant bits of PNG image pixels. The image looks normal, but extracting the hidden payload requires knowledge of the embedding algorithm.

Step‑by‑step detection and extraction:

  • On Linux (analysis sandbox), use `binwalk` to scan for embedded data:
    binwalk -e suspicious.png
    
  • Use `steghide` (if default passphrase known) or `zsteg` to detect LSB steganography:
    zsteg -a suspicious.png | grep -i "pe|exe|mz"
    
  • Manual extraction with Python (concept):
    from PIL import Image
    img = Image.open("suspicious.png")
    pixels = img.getdata()
    payload = bytearray()
    for r,g,b in pixels:
    payload.append((r & 1) << 7 | (g & 1) << 6 | (b & 1) << 5)  example LSB extraction
    with open("extracted.bin", "wb") as f: f.write(payload)
    
  • On Windows, use `CertUtil` to decode base64 hidden in image comments:
    findstr /C:"BEGIN" suspicious.png > extracted.txt
    certutil -decode extracted.txt payload.exe
    

Detection in network traffic:

Inspect image MIME types and entropy. A PNG with unusually high entropy or mismatched file size may indicate steganography. Use Snort/Suricata rules to flag HTTP/C2 responses containing images with PE headers embedded.

  1. Process Hollowing – When Msbuild.exe Becomes the Attacker

Process hollowing starts a legitimate process (e.g., Msbuild.exe) in a suspended state, replaces its memory with malicious code, and resumes execution. Trusted binaries then run attacker code with normal process privileges.

Step‑by‑step detection & forensic analysis:

  • Monitor process creation with Sysmon (Event ID 1) and look for `Msbuild.exe` or `cmstp.exe` spawned with `CREATE_SUSPENDED` flag. Install Sysmon config:
    <ProcessCreate onmatch="include">
    <CommandLine condition="contains">msbuild.exe</CommandLine>
    </ProcessCreate>
    
  • Use PowerShell to detect hollowing by comparing original and current memory regions:
    Get-Process -Name msbuild | Select-Object -ExpandProperty Modules | Where-Object {$_.ModuleName -ne "msbuild.exe"}
    
  • Live hunting with `handle` (Sysinternals) to check for unexpected thread contexts:
    handle -a -p msbuild.exe
    
  • Memory forensics with Volatility (Windows memory dump):
    volatility -f memory.dump --profile=Win10x64 hollowfind
    

Mitigation:

Enable Windows Defender Attack Surface Reduction rules to block process hollowing (ASR rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A). Use Microsoft Defender for Endpoint’s `AttackSurfaceReductionRules` via PowerShell:

Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
  1. UAC Bypass via cmstp.exe – Elevation Without Consent

PureRAT uses `cmstp.exe` (a trusted Microsoft binary) to silently bypass User Account Control. The binary loads a specially crafted INF file that executes code with elevated privileges without prompting the user.

Step‑by‑step exploitation & blocking:

  • Attack simulation (research only): Create an INF file with an `
    ` section that runs a command, then invoke:
    [bash]
    cmstp.exe /au /ns "malicious.inf"
    
  • Detect this activity via Event ID 4688 (Process Creation) with `cmstp.exe` and `/au` or `/ns` flags. Query with PowerShell:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[bash].Value -like "cmstp.exe"} | Select-Object TimeCreated, Message
    
  • Block UAC bypasses via `cmstp.exe` using AppLocker or WDAC (Windows Defender Application Control). Create a rule to deny execution of `cmstp.exe` for standard users:
    New-AppLockerPolicy -RuleType Exe -User Everyone -Path "%windir%\system32\cmstp.exe" -Action Deny
    

Hardening:

Enable “Admin Approval Mode” and set UAC to “Always notify”. Monitor `cmstp.exe` child processes – any spawned `cmd.exe` or `powershell.exe` from it is highly suspicious.

  1. Anti-Analysis Checks – Evading Sandboxes and Virtual Machines

PureRAT checks for VMware, QEMU, and sandbox artifacts (e.g., registry keys, hardware strings, running processes) before executing malicious payloads. Understanding these checks helps defenders build resilient sandboxes.

Step‑by‑step detection of VM artifacts:

  • Common checks in Windows registry:
    reg query HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemManufacturer
    reg query HKLM\SOFTWARE\VMware, Inc.\
    
  • Check for sandbox processes (e.g., vmtoolsd.exe, procmon.exe):
    Get-Process | Where-Object {$_.ProcessName -match "vmtoolsd|procmon|wireshark"}
    
  • Hardware fingerprinting – PureRAT may query CPUID (hypervisor bit) via WMI:
    Get-WmiObject -Class Win32_ComputerSystem | Select-Object Manufacturer, Model
    

Building a detection‑resistant sandbox:

  • Modify VM artifact registry keys and device names to mimic physical hardware.
  • Use `VMCloak` or custom PowerShell to randomize MAC addresses, disk serials, and BIOS strings.
  • For Linux‑based dynamic analysis, run malware inside `Cuckoo` with `vmscope` flags to hide KVM/QEMU indicators.
  1. C2 Beacon Detection – Catching the Callback Regardless of Process Trust

PureRAT maintains a persistent, task‑driven connection to a command‑and‑control server. Even if the process (e.g., Msbuild.exe) appears legitimate, beacon intervals and destination reputation give it away.

Step‑by‑step network detection:

  • Use `netstat` to find suspicious outbound connections from trusted processes:
    netstat -ano | findstr "ESTABLISHED" | findstr "msbuild"
    
  • Monitor beacon intervals with a Python script (or Zeek/Bro):
    import pyshark
    cap = pyshark.LiveCapture(interface='eth0', bpf_filter='tcp and host not internal')
    timestamps = []
    for pkt in cap.sniff_continuously():
    if hasattr(pkt, 'tcp') and pkt.tcp.payload:
    timestamps.append(pkt.sniff_time)
    if len(timestamps) > 10:
    intervals = [ (timestamps[i+1] - timestamps[bash]).total_seconds() for i in range(len(timestamps)-1) ]
    if max(intervals) - min(intervals) < 0.5:  regular beacon
    print(f"Possible C2 beacon from {pkt.ip.src}")
    
  • Deploy Zeek with `notice` framework to flag periodic outbound connections to low‑reputation IPs. Example custom script:
    event connection_established(c: connection)
    {
    if ( c$id$resp_h in Known::low_reputation_ips && /msbuild.exe/ in c$uid )
    NOTICE([$note=Possible_C2_Beacon, $conn=c]);
    }
    

Mitigation:

Enable Network Detection and Response (NDR) solutions that perform behavioral beacon analysis. Block outbound connections from non‑browser processes on ports 80/443 unless explicitly required.

  1. Hunting with Sysmon and Event Log Correlation – The Chain Is the Detection

As noted by Flavio Queiroz’s comment, no single event is malicious. The kill chain of `.LNK` → `PowerShell` → `VBS` → `Msbuild.exe` (hollowed) must be correlated across time and endpoints.

Step‑by‑step hunting query (using PowerShell and Get‑WinEvent):

  • Collect Sysmon Event IDs: 1 (ProcessCreate), 7 (ImageLoad), 10 (ProcessAccess), 13 (RegistryEvent).
  • Build a correlation rule that searches for the four‑step sequence within a 60‑second window:
    $events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 10000
    Group by ProcessGuid or parent PID to link LNK -> powershell -> vbs -> msbuild
    $links = $events | ForEach-Object {
    $xml = [bash]$<em>.ToXml()
    $parent = $xml.Event.EventData.Data | Where-Object {$</em>.Name -eq "ParentProcessName"}
    $child = $xml.Event.EventData.Data | Where-Object {$<em>.Name -eq "Image"}
    [bash]@{Parent=$parent.'text'; Child=$child.'text'; Time=$</em>.TimeCreated}
    }
    $links | Where-Object {$<em>.Parent -like ".lnk" -and $</em>.Child -like "powershell"} | ForEach-Object {
    Write-Host "Potential PureRAT chain detected at $($_.Time)"
    }
    
  • Use a SIEM (e.g., Splunk, Sentinel) with a query:
    index=sysmon EventID=1
    | eval chain=case(Image=".lnk", "step1", ParentImage="powershell.exe", "step2", Image="cscript.exe" OR Image="wscript.exe", "step3", Image="msbuild.exe" AND CommandLine="", "step4")
    | transaction UserName maxspan=1m
    | where chain="step1" AND chain="step2" AND chain="step3" AND chain="step4"
    

What Undercode Say:

  • PureRAT proves that single‑event detection is obsolete; defenders must adopt kill‑chain correlation and behavioral baselines.
  • Process hollowing and steganography will be increasingly combined in next‑gen malware – invest in memory forensics and entropy‑based file analysis.
  • UEBA (User and Entity Behavior Analytics) is no longer optional – detecting `Msbuild.exe` outside a Visual Studio context is a high‑fidelity indicator.
  • Network detection must move beyond signatures and embrace beacon interval analysis, as PureRAT’s C2 traffic blends with normal HTTPS.
  • Red teams should emulate PureRAT techniques (T1564.003, T1055.012, T1218.002) to test SOC detection capabilities.
  • Blue teams must harden Windows processes: enable ASR rules, Sysmon with custom configs, and PowerShell logging v5+ to see obfuscated commands.
  • Open‑source steganalysis tools like `zsteg` and `stegdetect` should be integrated into malware ingestion pipelines.
  • Cloud and hybrid environments are not immune – PureRAT can tunnel C2 over Graph API or cloud storage services.
  • The future of malware is lightweight, modular, and fileless – defenders need continuous, behavior‑driven hunting, not just reactive alerts.

Prediction:

Within the next 18 months, adversaries will weaponize Large Language Models to generate polymorphic fileless loaders and adaptive steganographic payloads that change embedding algorithms per victim. Simultaneously, process hollowing will evolve into “process herding” – distributing malicious threads across multiple trusted processes to evade memory scanning. Defenders will shift toward AI‑driven correlation engines that model normal process relationships (e.g., parent‑child affinity over time) and flag any deviation as anomalous. Organizations that fail to adopt behavioral detection, network beacon analysis, and cross‑process timeline correlation will be systematically compromised by frameworks like PureRAT, where invisibility, not destructive capability, is the primary weapon.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Flavioqueiroz Purerat – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky