Threat Watch

Parallax RAT Hiding in Legitimate Processes

A recent campaign against cryptocurrency companies has seen the Malware-as-a-Service (MaaS) Remote Access Trojan (RAT) Parallax utilizing process hollowing to make itself more difficult to detect. According to threat researchers at Uptycs, the initial payload was delivered via a phishing email and established persistence by adding itself to the Windows startup folder. The first payload then injected the second stage of the attack into a legitimate Windows component called “pipanel.exe”. From here, the malware begins to steal information from the victim machine. The attackers have also been noted to use notepad.exe to communicate with their victims, typically instructing them to connect to an attacker-controlled Telegram channel.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Phishing continues to be a popular method of initial access for threat actors. The effectiveness of phishing attacks, when paired with increasingly popular evasion techniques such as process injection and process hollowing, create a dangerous combination. These types of attacks will likely continue to grow in popularity due to the accessibility of closed source tools like this. They also serve to highlight the importance of a mature detection program that can respond to complex attacks and the critical nature of phishing awareness programs.

https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support