Stealthy 'Pulsar RAT' Windows Malware Campaign Uses In-Memory Execution for Evasion

Executive Summary

Security researchers at Point Wild have identified a new and sophisticated malware campaign distributing a .NET-based Remote Access Trojan (RAT) named Pulsar RAT. This malware is engineered for stealth, primarily targeting Windows environments. Its key characteristics include a multi-stage, memory-resident infection process that minimizes disk artifacts, making it difficult for traditional file-based antivirus solutions to detect. The RAT also employs advanced anti-analysis features to thwart researchers and automated sandboxes. The ultimate goal of Pulsar RAT is to provide attackers with interactive remote control over compromised systems to facilitate credential theft, surveillance, and data exfiltration. The use of legitimate web services like Discord and Telegram for command and control further complicates detection efforts.

Threat Overview

Pulsar RAT represents an evolution in stealthy malware, combining several effective evasion techniques. The infection process is multi-staged, meaning the initial payload is likely a small dropper or loader that then fetches and executes the main RAT component directly in memory. This fileless or near-fileless approach is a hallmark of modern malware seeking to bypass signature-based detection. The malware's reliance on standard Windows components for its operations, a practice known as "living-off-the-land" (LoTL), helps it blend in with normal system activity. The interactive nature of the RAT suggests it is not a simple automated tool but is used by human operators for hands-on-keyboard activity post-compromise.

Technical Analysis

Pulsar RAT is a modular implant with a strong focus on evasion and interactive control.

• Framework: The RAT is built on the .NET framework, which can sometimes be more difficult to analyze than native code.
• Execution: Its primary execution method is in-memory, avoiding writing the main payload to disk. This is a form of T1027 - Obfuscated Files or Information.
• Defense Evasion: The malware incorporates several anti-analysis techniques:
  • Anti-VM: Checks to see if it is running inside a virtual machine (T1497.001 - System Checks).
  • Anti-Debugging: Detects if a debugger is attached to its process (T1622 - Debugger Evasion).
  • Process Injection Detection: Checks for signs of process injection.
• Command and Control (C2): The RAT abuses legitimate, high-reputation web services for C2 communications, a technique known as T1102 - Web Service. It specifically uses Discord webhooks and Telegram bots to receive commands and exfiltrate stolen data.
• Capabilities: Once active, it provides operators with a range of functions, including:
  • Credential Harvesting (T1003 - OS Credential Dumping).
  • System Surveillance.
  • Remote Command Execution (T1059.003 - Windows Command Shell).
• Data Exfiltration: Stolen data is compressed into ZIP archives and exfiltrated over the C2 channel (T1560.001 - Archive via Utility).

Impact Assessment

The deployment of a sophisticated RAT like Pulsar RAT on a corporate network can lead to a complete compromise. The stealthy nature of the malware means it can remain undetected for long periods, allowing attackers ample time to map the network, escalate privileges, and locate and exfiltrate high-value data. The interactive control allows attackers to adapt their tactics in real-time based on the environment they have compromised. A successful infection could result in major data breaches, theft of intellectual property, and compromise of employee and customer credentials.

Cyber Observables for Detection

Detection & Response

1. Egress Traffic Filtering: Strictly filter and monitor outbound network traffic. Deny all outbound connections to known anonymization services and social media platforms like Discord and Telegram from servers and non-essential workstations (D3-OTF).
2. Memory Analysis: Since Pulsar RAT is memory-resident, traditional file scanning is ineffective. Use EDR tools with memory scanning capabilities or conduct periodic memory forensics on critical systems to identify suspicious in-memory artifacts.
3. PowerShell Logging: Enable enhanced PowerShell logging (Module Logging, Script Block Logging) to capture the activity of LoTL scripts. This can reveal the deobfuscated commands used by the malware (M1047 - Audit).
4. Behavioral Analytics: Use User and Entity Behavior Analytics (UEBA) to detect anomalous patterns, such as a user's machine suddenly communicating with Discord for the first time, or a server process attempting to create a ZIP archive.

Mitigation

1. Application Control: Implement application control technologies, such as Windows Defender Application Control, to restrict the execution of unauthorized scripts and .NET assemblies (M1038 - Execution Prevention).
2. Endpoint Hardening: Harden endpoints by disabling or restricting PowerShell for standard users and implementing Attack Surface Reduction (ASR) rules to block common malware behaviors.
3. Network Segmentation: Segment the network to prevent lateral movement. Even if a workstation is compromised, segmentation can prevent the RAT from reaching critical servers or other sensitive parts of the network (M1030 - Network Segmentation).
4. User Training: Educate users about phishing, the primary initial access vector for many RATs. Train them to be suspicious of unsolicited attachments and links (M1017 - User Training).