{
	"id": "45417d63-5d9c-4b4d-be31-76e25f0b5c38",
	"created_at": "2026-04-06T00:06:42.994612Z",
	"updated_at": "2026-04-10T13:11:34.617229Z",
	"deleted_at": null,
	"sha1_hash": "a1ceff72fc0c4d771e8506687a82d5c3fedd4c4b",
	"title": "Teaching an old RAT new tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51652,
	"plain_text": "Teaching an old RAT new tricks\r\nBy Joseph Landry\r\nPublished: 2016-04-21 · Archived: 2026-04-05 22:54:06 UTC\r\nAttackers have been successfully deploying RATs for years to remotely control users systems – giving them full\r\naccess to the victim’s files or resources such as cameras, recording key strokes, or downloading further malware. \r\nTraditionally RATs have been deployed when a user opens an email attachment, or downloads a file from a\r\nwebsite or peer-to-peer network.  In both cases, these vectors involve use of files to deliver the payload – which\r\nare easier to detect.\r\nRecently we detected a more sophisticated technique that a handful of countries across Asia are actively using to\r\ninfect systems with RATs.  This new technique ensures that the payload/file remains in memory through its\r\nexecution, never touching the disk in a de-encrypted state.  In doing so, the attacker can remain out of view from\r\nantivirus technologies, and even ‘next-generation’ technologies that only focus on file-based threat vectors.  Also,\r\nthe samples analyzed have the ability detect the presence of a virtual machine to ensure it’s not being analyzed in a\r\nnetwork sandbox.\r\nAnd finally it’s important to highlight that the RAT itself is not new.  In fact this technique can be used to deliver\r\nany “known” RAT to a victim’s system.  We analyzed this sample against our SentinelOne EPP to confirm is does\r\nnot evade our behavior-based detection mechanisms.  This is due to the fact that we’re monitoring all processes at\r\nthe user-space/kernel-space interface – and because all communication between the application and the kernel\r\nmust be unencrypted, we detect the sample at both process-injection points.\r\nSamples Analyzed\r\nMain Sample\r\nFormat: Win32 PE .NET 2.0\r\nSHA-256 sum: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8\r\nHSA-1 sum: 3b1ac573509281cdc0b6141f8ea6ed3af393b554\r\nMD5 sum: 65752e742d643d121ee7e826ab65dc9b\r\nFile size: 321024 bytes (324 kb)\r\nUnpacked Samples\r\nMain Sample\r\ne5c71180f117270538487cd9b9b1b6d8 – Packed “Benchmark” DLL\r\n9e05fb115bd4e85cfc0e32c72aa721be – Monitor (PerfWatson.exe)\r\nd740ed3f33ca4cef3a6aa717f94bf52a – NanoCore RAT dumped from memory\r\nBehavioral Analysis\r\nhttps://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/\r\nPage 1 of 4\n\nWhen run, the binary will copy itself to %APPDATA%MicrosoftBlend14.0FeedCachenvSCPAPISrv.exe and\r\nextracts a second binary named PerfWatson.exe\r\nIt then executes both binaries.\r\nFor persistence, a registry key is created at HKEY_CURRENT_USERSoftwareMicrosoftWindows\r\nNTCurrentVersionWindowsLoad pointing to the PerfWatson.exe binary.\r\nFinally, the RAT tries connecting back to its control server:\r\nazona2015.chickenkiller.com:1617 (TCP)\r\nazona.chickenkiller.com:1617 (TCP)\r\nchickenkiller.com is owned by a free dynamic DNS service.\r\nAt the time of this writing, the DNS records still exist, but the address they resolve to appears to be down.\r\nUnpacking\r\n“Benchmark” .NET DLL\r\nThe main executable contains an XOR encrypted .NET DLL in its .NET managed resources and the logic to\r\nunpack it. This DLL contains the logic to unpack and inject the RAT as well as monitor the application,\r\nPerfWatson.exe. This DLL is referred to as “Benchmark” because that is the .NET namespace it uses.\r\nAfter decrypting the resource, it is linked into the process using System.Reflection.Assembly.Load(byte[]). This\r\nmethod is documented on MSDN here. Using this method, the DLL will never be written to the filesystem. This\r\ntechnique could have been chosen by the developers to evade antivirus detection.\r\nUnder the hood, Assembly.Load(), uses a call to the win32 api call CreateFileMappingW() with the hFile\r\nparameter set to INVALID_HANDLE_VALUE. According to MSDN, this will create a mapped file that is backed\r\nby the paging filesystem, not the standard filesystem. A layer below CreateFileMapping, the system call\r\nNtCreateSection is invoked.\r\nAfter the empty file is created, it is mapped into memory using the Win32 API call MapViewOfFileEx. The layer\r\nbelow this invokes the system call NtMapViewOfSection.\r\nNow, a call to memcpy() is used to copy the decrypted DLL into the newly allocated address range.\r\nUnpacking Settings and NanoCore\r\nThe settings for “Benchmark” and the NanoCore executable are serialized, DES encrypted, spliced, and stored\r\nacross multiple PNG files as pixel data. The PNG files are concatenated and stored in the .NET managed\r\nresources of the main executable.\r\nSome of the settings that can be configured are:\r\nExit if a virtual machine is detected\r\nPaths and filenames to store PerfWatson.exe and NanoCore\r\nhttps://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/\r\nPage 2 of 4\n\nDisplay a message box to the user\r\nDelete “:Zone.Identifier” information for files from NTFS ADS.\r\nDownload an encrypted file from the Internet, decrypt it, and run it.\r\nMonitor the Injected process\r\nAfter viewing one of these images, it is obvious they are not used to conveying visual information to a human eye.\r\nAfter writing a short python script, I was able to extract all 19 PNG files. If you have robot eyes, you can see a\r\ncat.\r\nHere is a C# decompilation of the method used to extract the information out of the pixel data.\r\nOnce everything is decrypted, the set options are executed, and the NanoCore RAT payload is injected into a new\r\nchild process. The method of injection is discussed later.\r\nUnpacking PerfWatson.exe\r\nNow that “Benchmark” is loaded into memory, it is tasked with copying the main executable and extracting\r\nPerfWatson.exe to %APPDATA%\\MicrosoftBlend14.0FeedCache.\r\nPerfWatson.exe is stored inside Benchmark as a base64 encoded string. There is no encryption or obfuscation\r\noutside of the base64 encoding.\r\nInside the .NET assembly, the string is stored as a DefaultSettingValue string. The developers might have used this\r\nas a way to conceal the meaning of this long string.\r\nOnce the string is decoded, it is written to disk and executed.\r\nInjecting the Payload\r\nThe NanoCore RAT payload is never written to disk to avoid detection. Instead, it is injected into a new process.\r\nThe injection routine can be summarized by these Win32 API and system calls:\r\nCreateProcessW(CREATE_SUSPEND): create the child process in suspend mode.\r\nNtGetContextThread(): Used to find the PEB and to update the EIP register.\r\nReadProcessMemory(): Reads the PEB.ImageBaseAddress field.\r\nNtUnmapViewOfSection(): This runs only when there is an image already mapped to 0x400000.\r\nVirtualAllocEx(): Used to allocate the pages for injection.\r\nNtWriteVirtualMemory():\r\n0x00400000: MZ/PE Header\r\n0x00402000: .text\r\n0x00436000: .rsrc\r\n0x0043a000: .reloc\r\nPEB.ImageBaseAddress: Updates the base address to 0x400000.\r\nNtSetContextThread(): Updates the EIP register in the thread context.\r\nNtAlertResumeThread(): Causes the child process to leave suspend mode and become runnable.The\r\nprocess begins in suspend mode:\r\nhttps://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/\r\nPage 3 of 4\n\nNext, the thread context is read from the child process:\r\nFrom the thread context, the address of the PEB is now known and is can be read:\r\nThe address range for the injected image is now allocated:\r\nAnd now a series of NtWriteVirtualMemory() to inject the RAT image and update PEB.ImageBaseAddress.\r\nNtSetContextThread is invoked to update the EIP register’s value:\r\nFinally, execution is started with NtAlertResumeThread:\r\nBy dumping the process to disk, we can see that the injected process is just the NanoCore client.\r\nWorried about DDoS attacks? Check out our thorough guide about the attack vectors of this malicious virus and\r\nhow to protect your data from the likes of BlackEnergy 3.\r\nSource: https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/\r\nhttps://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/"
	],
	"report_names": [
		"teaching-an-old-rat-new-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a1ceff72fc0c4d771e8506687a82d5c3fedd4c4b.pdf",
		"text": "https://archive.orkl.eu/a1ceff72fc0c4d771e8506687a82d5c3fedd4c4b.txt",
		"img": "https://archive.orkl.eu/a1ceff72fc0c4d771e8506687a82d5c3fedd4c4b.jpg"
	}
}