Over the last couple of years, the use of user mode API hooking by security vendors became highly popular. Most next-gen antiviruses and EDRs use hooking for detecting and preventing malicious activity. This technique provides significant advantages for defenders, but attackers are increasingly aware of this and are commonly prepared with bypasses.
A recent example of this trend is Parallax RAT. The RAT maps a fresh copy of ntdll from disk and uses it to extract the syscall IDs of a set of functions which are then used to perform process hollowing with direct syscalls, thus evading security products that rely on hooking-based detection. The sample we analyzed injected its payload into an ipconfig.exe process. The payload then downloads a PNG image from a hardcoded imgur URL that contains the final payload, a remcos RAT.
The PNG image containing the final payload:
We will not go into full technical details of the RAT, as a comprehensive blog was already written by the excellent Vitali Kremez, and can be found here.
Minerva prevents Parallax RAT with our Hostile Environment simulation, preventing the evasive malware by using its code against it:
b798b1416ad540859ccfc691e79ae938c2523999b4707556b82030eaf6b623f8 (PNG Image)