This is the third part of our malware evasion techniques series. If you’d like, you can also review our other articles on sandbox evasion and Living off the Land.
This article introduces a set of evasion techniques wherein malware takes advantage of running processes. These techniques fall under the broad category of malware evasion techniques known as process injection.
Finding threats in running processes
In the past, malware infections normally involved malicious processes that either carried out the attack itself or downloaded a file-based payload containing malicious code. These processes were easily caught by threat analysts and security software that simply listed running processes and then distinguished suspicious processes from legitimate ones.
Evasion through process injection
Malware authors are now aware of this countermeasure and have devised a way to circumvent it through a technique known as process injection, which makes it even harder for security tools to detect. Also known as memory injection, this technique involves running or ‘injecting’ malicious code in the address space (i.e., the range of valid addresses in memory that are allocated for a particular program or process) of a legitimate process already present in the memory.
Two advanced persistent threat (APT) attacks are good examples of using this particular evasion technique, and have been discussed previously here in our blog—APT27 (Emissary Panda) and APT32 (OceanLotus).
By hiding in a legitimate OS or application process, ransomware is be much less likely to stand out if security software runs an inspection on running processes. There are several ways that ransomware can implement process injection. Let’s take a look at two of them.
DLL Injection
Dynamic-Link Libraries or DLLs are integral to every running process, as they add functionality to the program running a particular process.
If you inspect processes running on your system , you’ll probably notice that they consist of one or more threads, most of which correspond to a DLL.
DLL injection is a process injection technique where the threat actor uses a legitimate process to execute a malicious DLL.
To do that, the threat actor typically carries out a number of steps:
- Enumerate a list of processes and identify a process to target.
- Place a malicious DLL file into the target system’s file system.
- Allocate memory space in the target process to accommodate that malicious DLL’s path.
- Copy that path into the process’ memory
- Obtain the address of an API function known as LoadLibraryand then use the DLL’s path as an argument of this function when using CreateRemoteThreadin the next step.
- Create a new thread in the target process using the CreateRemoteThread function while setting that new thread’s start address to the address of LoadLibrary.
Reflective DLL Loading
Using DLL injection for malware evasion has a couple of disadvantages for the attacker. First, the attacker has to store the malicious DLL file on the target system. That DLL file can potentially be detected by security solutions. Secondly, some security solutions monitor LoadLibrary calls and can even track DLLs loaded onto processes.
To circumvent these defensive measures, some malware developers use a modified version of DLL injection known as Reflective DLL Loading. This process injection technique loads a DLL from memory rather than from the target system’s disk.
Basically, reflective DLL loading forgoes using a DLL file, and instead, maps the actual contents of the malicious DLL to the target process without calling LoadLibrary. Aside from avoiding potentially-monitored LoadLibrary calls, this technique also eliminates the risk of getting detected as a suspicious DLL file. A variation of this technique also involves a fileless attack, in which the ransomware threat actor actually downloads the content of the malicious DLL directly into memory without even creating a file on the local hdd.
These are just two of several process injection techniques that are now used in the wild. Some of the popular ones include portable executable injection, process hollowing, process doppelganging, and VDSO hijacking, to mention a few.
How Minerva Armor Prevents Ransomware that use Memory injection
Minerva Armor’s Ransomware Protection platform includes a Memory Injection Prevention module which blocks attempts by fileless and other memory-resident malware to hide in legitimate processes and evade detection. By deceiving the malware about its ability to interact with other processes, Minerva prevents the ransomware from gaining a foothold on the endpoint, rendering its evasion technique completely ineffective. As this evasion technique occurs very early in the ransomware attack, when Minerva Armor blocks the evasion technique, it completely stops the attack before it manages to do any damage.