Malware Forensics Concepts — Quick Reference

Image Generated By Author

Malware Detection:

Malware common locations are

• Windows\System32
• temp folders
• C:\Windows or %SYSTEMROOT%
• System volume information
• Recycle bin
• Program files
• Temporary internet files

Malware Persistence:

DLL Search Order Hijacking:

• Place malicious file ahead of DLL in Window’s DLL search order hierarchy
• Common example: Explorer.exe loading bad ntshrui.dll

DLL Search Order:

Memory -> KnownDLL registry list -> Directory where executable/process is located -> current directory -> Windows System 32 directory -> Windows directory -> directories listed in PATH environment variable

DLL Side Loading:

• Uses the legitimate Windows Side by Side (WinSxS) DLL loading mechanism to introduce an “updated” version of a DLL
• DLL side-loading is a technique that uses malicious DLLs that spoof legitimate ones, and which relies on legitimate Windows applications to load and execute the code.

Example: PlugX RAT

Locations used by Malware for Persistence:

• AutoStart Locations
• Service Creation/Replacement
• Service Failure Recovery
• Scheduled Tasks
• DLL Hijacking
• WMI Event Consumers (subscription)

More advanced: Local Group Policy, MS Office Add-In, BIOS Flashing

WMI Event Subscription — Malware Persistence:

• WMI can be used to perform several activities such as lateral movement, persistence, situational awareness, code execution and as a command and control (C2). The fact that WMI is part of Windows that exists in almost all windows operating systems (Windows 98- Windows 10) allows these offensive activities to stay off the radar of the blue team.
• Typically persistence via WMI event subscription requires creation of the following three classes which are used to store the payload or the arbitrary command, to specify the event that will trigger the payload and to relate the two classes (__EventConsumer &__EventFilter) so execution and trigger to bind together.

__EventFilter // Trigger (new process, failed logon etc.) EventConsumer // Perform Action (execute payload etc.) __FilterToConsumerBinding // Binds Filter and Consumer Classes

• Implementation of this technique doesn’t require any toolkit since Windows has a utility that can interact with WMI (wmic) and PowerShell can be leveraged as well. However various frameworks such as Metasploit, Empire, PoshC2, PowerSploit and multiple PowerShell scripts and C# tools can be used to automate this technique providing different triggers and various options for code execution.
• It should be noted that WMI events run as a SYSTEM, persists across reboots and Administrator level privileges are required to use this technique.

Scheduled Tasks — Malware Persistence:

• Two methods with windows, the deprecated at.exe and the upgraded version schtasks.exe (which provides more features such as finely controlled and diverse task scheduling options, setting tasks for specific Windows events such as specific user logging on)
• at.exe — recorded in at*.job files and Scdlgu.txt (XP)
• schtasks.exe — actively logging in Task Scheduler and Security logs
• Both allows the ability to schedule tasks on remote systems, this is commonly used to spread malware (i.e., backdoors), execute batch scripts, perform routine actions like credential dumping across many systems

Windows Services — Malware Persistence:

• Windows Services are designed to run applications in the background without user interaction and can be configured to reliably start at boot
• Popular malware persistence mechanism
• Can include creating a new service, modify and auto-start an already existing service to replace binary (using an unnecessary service to accomplish this), or using a service recovery mode option to load a malicious binary when the service crashes
• Start value set — 0x02 will start at boot

Host based evidence of Persistence:

Malware Persistence Mechanisms — methods utilised to survive a reboot

• Scheduled tasks
• Service replacement
• Service creation
• Service failure mechanisms
• Auto-start registry keys
• DLL search order hijacking
• Trojanized legitimate system libraries
• Local group policy
• MS office add-in
• BIOS flashing

Malware Defense Evasion:

• Mimicking known good services
• Process injection
• File name/service hijacking
• Alternate data streams
• Webshells
• Beacons
• Frequent compilation
• Packing/armoring
• Dormant malware
• Outbound HTTP beacons
• Signing code with trusted certification

Code Signing:

• Trusted code signing was intended to increase the security and trustworthiness of programs downloaded from the Internet
• Malware that is signed has easier time spreading and hiding on networks
• If detected it would be easy to revoke the code-signing certificate and add it to the CRL
• This would render all malware using that certificate useless because the CRL would be checked by any system executing the malware (if updated)
• Signed malware is trusted by the operating system and can stay hidden for a longer period of time without arousing suspicion
• Also an advantage if the developer is not planning on using that malware again and is willing the risk of it being revoked if discovered
• Rapid development and release of malware will be inhibited
• Malware authors need to rapidly develop alternatives to code in order to avoid anti-virus and host-based IDS
• Malware author would need a plethora of code signing certs to avoid burning an entire family of malware active across an enterprise if discovered

Malware Code Injection and Detection:

Two main types used by malware, DLL injection and process hollowing. Both are relatively easy to detect using memory analysis.

• Memory analysis tool has to follow the VAD tree of the process and review all memory sections (pages) belonging to the process looking for an executable (Page_Execute_ReadWrite) and an unmapped (not backed by file on disk)
• Another means to determine if Portable Executable (DLL) file is present in memory page
• DLL Injection is the most common technique used to inject malware into another process. The malware first enumerates a process for injection by calling APIs like CreateToolhelp32Snapshot, Process32First, Process32Next. Once a target process is identified, the malware gets the handle of the target process by calling OpenProcess. The malware then allocates memory by calling VirtualAllocEx and then WriteProcessMemory to write the path in the allocated memory. Finally the injected code is executed in the context of target victim process.
• For Process Hollowing — if image file (process binary) is unmapped. In this case, malware unmaps the code of the target process and overwrites the memory space of the target process with a malicious executable.

Originally published at http://cybersherlock.blog on September 18, 2021.