PureRAT Malware Evades Detection with PNG-Stashed Payloads

Executive Summary

A newly documented malware campaign is deploying a remote access trojan (RAT) called PureRAT using a sophisticated evasion technique. The attackers embed Portable Executable (PE) payloads within seemingly benign PNG image files and execute them directly in system memory, a method designed to avoid detection by traditional file-scanning security tools. According to analysis from CyberSecurity News, this fileless execution leaves minimal forensic traces on infected Windows systems.

Technical Analysis

The campaign's core innovation is its use of PNG files as carriers for malicious code. The threat actors embed a complete PE file—the PureRAT payload—within the PNG's data structure. The exact method of embedding is not detailed in the source, but such techniques often involve appending the executable to the end of the image file or steganographically hiding it within pixel data. A separate loader component, likely delivered through another vector, is responsible for extracting and executing this hidden payload. Crucially, the execution is performed filelessly; the PE is read from the PNG, loaded directly into the system's memory (RAM), and run without ever being written to the disk as a separate executable file. This bypasses security solutions that monitor for the creation of suspicious files.

Tactics, Techniques & Procedures

The primary TTP is defense evasion through fileless execution (T1027) and hiding data within image files (T1027.003). By storing the final payload inside a PNG, the attackers separate the delivery mechanism from the malware itself. The execution chain likely involves an initial dropper that fetches or accesses the PNG, extracts the embedded binary, and uses Windows API calls to allocate memory and execute the code. This aligns with living-off-the-land (LOLBin) techniques, where legitimate system functions are abused to run malicious code.

Threat Actor Context

The source material does not attribute the PureRAT campaign to a known threat actor group. The use of custom, sophisticated evasion tactics suggests a capable operator, but their identity, motivation, and specific targets remain unclear. Further investigation would be required to determine if this is a broad cybercrime operation or a more targeted attack.

Mitigations & Recommendations

The fileless nature of the attack underscores the limitations of signature-based antivirus. Defenders should prioritize behavioral detection tools that can identify malicious activity in memory, such as attempts to allocate and execute code from non-standard processes. Application allowlisting can prevent unauthorized programs from running. Network monitoring for anomalous outbound connections from unexpected processes may also help identify a PureRAT infection, as the malware establishes a remote access channel. Ensuring endpoint detection and response (EDR) solutions are properly configured to monitor for in-memory execution is critical.