Over the last couple of years, the use of user mode API hooking by security vendors became highly popular. Most next-gen antiviruses and EDRs use hooking for detecting and preventing malicious activity. This technique provides significant advantages for defenders, but attackers are increasingly aware of this and are commonly prepared with bypasses.

 

A recent example of this trend is Parallax RAT. The RAT maps a fresh copy of ntdll from disk and uses it to extract the syscall IDs of a set of functions which are then used to perform process hollowing with direct syscalls, thus evading security products that rely on hooking-based detection. The sample we analyzed injected its payload into an ipconfig.exe process. The payload then downloads a PNG image from a hardcoded imgur URL that contains the final payload, a remcos RAT.

The PNG image containing the final payload:

 

We will not go into full technical details of the RAT, as a comprehensive blog was already written by the excellent Vitali Kremez, and can be found here.

Minerva prevents Parallax RAT with our Hostile Environment simulation, preventing the evasive malware by using its code against it:

IOCs:

URLs:

https://i.imgur.com/dJIPdrD[.]png

https://i.imgur.com/OwAnqnT[.]png

Hashes:

faf9c66a64226b1d383e39bf717acb0731c1612c6bd298422187ab90645738f7

6c20f57fe0b68f7df851c4f99072a10c571627fcb6ba7498827f27857d3c1bc6

131487ABD0504E4C95D90C87DC13DCDF24396CDC5A70EA7827FB698E41985C3B

b798b1416ad540859ccfc691e79ae938c2523999b4707556b82030eaf6b623f8 (PNG Image)

Mutex:

Acustexmixapp-B7HQ5R

Remcos_Mutex_Inj