![Page 1: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/1.jpg)
ENSILO.COM
BYPASSING USER-MODE HOOKSANALYZING MALWARE EVASION TREND
FIRST Tel Aviv 2019
![Page 2: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/2.jpg)
2 // ENSILO.COM
ABOUT US
• Omri Misgav– Security Research Team Leader @ enSilo
– Reverse Engineering, OS internals
• Udi Yavo– CTO & Co-Founder @ enSilo
– Former CTO, Rafael Cyber Security Division
– Past speaker in Blackhat and RSA
• Our technical blog: BreakingMalware.com
![Page 3: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/3.jpg)
3 // ENSILO.COM
AGENDA
• Intro and background
• Bypass techniques analysis– Secondary DLL mapping
– Direct system call invocation
– Code splicing
• Comparison and takeaways
![Page 4: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/4.jpg)
4 // ENSILO.COM
INTRO
• Hooking is used to intercept function calls in order to alter or augment their behavior
• User-mode hooks are used in many security products and tools– AVs\NGAVs
– EDRs
– Sandboxes
– DLPs
– And more…
• Why?– Stable, simple (nevertheless, not without faults)
– Lack of Patch Protection
– Full context
• Bypasses exist for a very long time
• Last ~1.5 years there’s an increasing number of reports (malware and pentesters)
![Page 5: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/5.jpg)
5 // ENSILO.COM
HOOKING BACKGROUND
Application
kernel32!CreateProcessA
kernel32!CreateProcessInternalA
kernel32!CreateProcessInternalW
ntdll!NtCreateUserProcess
ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!...
Kernel
User
Kernel
UserWOW64
User Application
Kernel32!ReadProcessMemory
KernelBase!ReadProcessMemory
ntdll!NtReadVirtualMemory
wow64cpu!X86SwitchTo64BitMode
wow64!Wow64SystemServiceEx
ntdll!NtReadVirtualMemory
ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!...
![Page 6: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/6.jpg)
6 // ENSILO.COM
• Control flow instructions
• Generating exceptions
function_B:0x403000: cc0x403001: 89 e50x403003: 83 ec 500x403006: …
int 3mov ebp, espsub esp, 0x50
function_A:0x401000: 550x401001: 89 e50x401003: 83 ec 400x401006: 500x401007: 8b 44 24 0c0x40100a: …
push ebpmov ebp, espsub esp, 0x40push eaxmov eax, [esp + 0xc]
HOOKING BACKGROUNDInline Hooks
hook_A:0x402000: 550x402001: 89 e50x402003: 83 ec 400x402006: e9 06 10 40 00
push ebpmov ebp, espsub esp, 0x40jmp function_A + 6
function_A:0x401000: e9 00 20 40 000x401005: 890x401006: 500x401007: 8b 44 24 0c0x40100a: …
jmp hook_Anoppush eaxmov eax, [esp + 0xc]
function_B:0x403000: 550x403001: 89 e50x403003: 83 ec 500x403006: …
push ebpmov ebp, espsub esp, 0x50
![Page 7: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/7.jpg)
7 // ENSILO.COM
BYPASS TECHNIQUES ANALYSISSecondary DLL mapping
![Page 8: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/8.jpg)
8 // ENSILO.COM
BYPASS TECHNIQUES
• ReadFile() + Reflective Loading
• FormBook, reported by FireEye
• Infostealer
• Referred to as "Lagos Island method“
• Loads ntdll.dll– Code injection and Process Hollowing
– File system and registry access
Manually Load DLL From Disk
![Page 9: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/9.jpg)
9 // ENSILO.COM
BYPASS TECHNIQUESManually Load DLL From Disk
![Page 10: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/10.jpg)
10 // ENSILO.COM
BYPASS TECHNIQUESManually Load DLL From Disk
![Page 11: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/11.jpg)
11 // ENSILO.COM
BYPASS TECHNIQUES
• CopyFile() + LoadLibrary()
• Hancitor, reported by MalwareBytes
• Downloader
• Copies kernel32.dll– Call CreateProcess as part of Process Hollowing
Clone DLL
![Page 12: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/12.jpg)
12 // ENSILO.COM
BYPASS TECHNIQUESClone DLL
![Page 13: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/13.jpg)
13 // ENSILO.COM
BYPASS TECHNIQUESClone DLL
![Page 14: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/14.jpg)
14 // ENSILO.COM
BYPASS TECHNIQUES
• [Nt]CreateFile() + NtCreateSection(…, SEC_IMAGE, …) + ZwMapViewOfSection()
• Osiris, reported by MalwareBytes
• Banking trojan
• Remaps ntdll.dll– Process Doppelgänging\Hollowing hybrid (“Transacted Hollowing”)
Section Remapping
![Page 15: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/15.jpg)
15 // ENSILO.COM
BYPASS TECHNIQUESSection Remapping
![Page 16: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/16.jpg)
16 // ENSILO.COM
BYPASS TECHNIQUES ANALYSISDirect system call invocation
![Page 17: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/17.jpg)
17 // ENSILO.COM
BYPASS TECHNIQUES
• Calling system calls directly
• DarkGate, reported by enSilo
• Crypto miner and stealer
• Used for Process Hollowing and writing to the registry
NTDLL Parsing
![Page 18: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/18.jpg)
18 // ENSILO.COM
BYPASS TECHNIQUESNTDLL Parsing
![Page 19: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/19.jpg)
19 // ENSILO.COM
BYPASS TECHNIQUESNTDLL Parsing
Application
kernel32!CreateProcessA
kernel32!CreateProcessInternalA
kernel32!CreateProcessInternalW
ntdll!NtCreateUserProcess
ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!...
Kernel
User
Kernel
UserWOW64
User Application
Kernel32!ReadProcessMemory
KernelBase!ReadProcessMemory
ntdll!NtReadVirtualMemory
wow64cpu!X86SwitchTo64BitMode
wow64!Wow64SystemServiceEx
ntdll!NtReadVirtualMemory
ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!...
![Page 20: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/20.jpg)
20 // ENSILO.COM
BYPASS TECHNIQUES
• Make system calls from within WOW64 emulation layer– 32-bit application on 64-bit Windows
• GlobeImposter, reported by enSilo
• Ransomware
• Used for Process Hollowing
Heaven’s Gate
![Page 21: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/21.jpg)
21 // ENSILO.COM
BYPASS TECHNIQUESHeaven’s Gate
![Page 22: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/22.jpg)
22 // ENSILO.COM
BYPASS TECHNIQUESHeaven’s Gate
Application
kernel32!CreateProcessA
kernel32!CreateProcessInternalA
kernel32!CreateProcessInternalW
ntdll!NtCreateUserProcess
ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!...
Kernel
User
Kernel
UserWOW64
User Application
Kernel32!ReadProcessMemory
KernelBase!ReadProcessMemory
ntdll!NtReadVirtualMemory
wow64cpu!X86SwitchTo64BitMode
wow64!Wow64SystemServiceEx
ntdll!NtReadVirtualMemory
ntoskrnl!...
ntoskrnl!NtCreateUserProcess
ntoskrnl!...
![Page 23: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/23.jpg)
23 // ENSILO.COM
BYPASS TECHNIQUES ANALYSISCode splicing
![Page 24: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/24.jpg)
24 // ENSILO.COM
BYPASS TECHNIQUES
• Rebuild function stubs elsewhere
• Commonly used by packers
• CodeFork’s Gamarue, reported by Radware
• Downloader for bots, spamming, miners…
• Copies the first instruction of library functions it uses
Code Splicing (a.k.a. Byte Stealing)
![Page 25: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/25.jpg)
25 // ENSILO.COM
BYPASS TECHNIQUESCode Splicing (a.k.a. Byte Stealing)
![Page 26: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/26.jpg)
26 // ENSILO.COM
BYPASS TECHNIQUESCode Splicing (a.k.a. Byte Stealing)
![Page 27: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/27.jpg)
27 // ENSILO.COM
BYPASS TECHNIQUESComparison
Technique Runtime Indicators Forensic Artifacts Drawbacks
Manually Load DLL From Disk
Callstacks missing relevant DLLs
Floating PE copy in memorySignificantly different from the
norm
Clone DLLCallstacks with unexpected
DLLsIdentical PEs in memory
Changes to file system
Lower level\dependencies can be hooked
Section Remapping Multiple mappings of same PE Multiple mappings of same PE Can’t be used for complex code
NTDLL Parsing Callstacks missing ntdll.dll Limited functionality
Heaven’s GateCallstacks missing WOW64
system DLLsLimited functionality
Code SplicingInternal\lower level\dependencies
can be hooked
![Page 28: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/28.jpg)
28 // ENSILO.COM
BYPASS TECHNIQUES
• Used by all sorts of malware families
• Sophisticated actors, though not necessarily APTs
• Usually to mask the initial steps and establishing foothold
• None of the techniques are actually new
• Some techniques are not as commonly used in the wild– Unhook Flashbang\ReflectiveDLLRefresher: detectible and reversible
– Bring Your Own Indexes (BYOI): version dependent
Summary
![Page 29: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/29.jpg)
29 // ENSILO.COM
ANALYSIS AND DETECTION TACTICS
• Events regarding system DLLs can be used as indicators– Copy, multiple read\load operations
• Check the callstacks
• Place hooks\breakpoints at non-trivial locations
• Randomize as much as you can
• Hook many different layers (“mine” the path)
• Correlate user-mode and kernel-mode data
• Use information provided by the OS (ETW)
![Page 30: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/30.jpg)
30 // ENSILO.COM
CLOSING REMARKS
• These are only a handful of examples
• Trivial to implement, simple to use (most have source code available)
• Hardly any recent innovations, yet still very effective
• MITRE ATT&CK doesn’t reference hook bypassing as defense evasion
• Using user-mode hooks for security is not enough
![Page 31: ANALYZING MALWARE EVASION TREND - FIRST · 2019-03-05 · ANALYZING MALWARE EVASION TREND FIRST Tel Aviv 2019. 2 // ENSILO.COM ABOUT US •Omri Misgav –Security Research Team Leader](https://reader030.vdocuments.mx/reader030/viewer/2022040406/5ea114506124fa70fe7b2da5/html5/thumbnails/31.jpg)
31 // ENSILO.COM
QUESTIONS?
[email protected] in/udiyavo @UdiYavo
www.breakingmalware.com
in/omri-misgav