3 min read Malware_Analysis

Malware Behavior

the screen of a laptop with the windows security button highlighted

Downloaders and Launchers

A launcher (also known as a loader) is any executable that installs malware for immediate or future covert execution. Launchers often contain the malware that they are designed to load.

Downloaders commonly use the Windows API URLDownloadFileA followed by a call to WinExec to download and execute new malware.

Downloaders simply download another piece of malware from the Internet and execute it on the local system.

Backdoors

A backdoor is a type of malware that provides an attacker with remote access to a victim's machine.

Reverse Shell

A reverse shell is a connection that originates from an infected machine and provides attackers shell access to that machine.

(A Windows reverse shell is usually employed by an attacker and involves a call to CreateProcess and the manipulation of the STARTUPINFO structure that is passed to CreateProcess.)

(A multithreaded version of Windows reverse shell involves the creation of socket, two pipes, and two threads. It usually calls Windows API's CreateThread and CreatePipe)

RAT's

A remote administration tool (RAT) is used to remotly manage a computer or computers. RAT's are often used in targeted attacks with specific goals, such as stealing information or moving laterally across a network.

Botnet's

A botnet is a collection of compromised hosts, known as zombies, that are controlled by single entity, usually through the use of server known as botnet controller. The goal of botnet is to compromise as many hosts as possible in order to create a large network of zombies that the botnet uses to spread additional malware or spam, or perform dos attack.

Credential Stealers

Attackers try to steal credentials, primarily with three types of malware:

1. Programs that wait for a user to log in in order to steal their credentials.

2. Programs that dump information stored in Windows, such as password hashes,to be used directly or cracked offline

3. Program that log keystrokes.

GINA Interception (msgina.dll)

The attackers usually install malicious dll in between 'winlogon.exe' and 'msgina.dll' like "Man in the middle attack" to steal user credentials.

GINA is implemented in a DLL, 'msgina.dll', and is loaded by the Winlogon executable during the login process.

The GINA system was intended to allow legitimate third parties to customize the logon process by adding support for things like authentication with hardware radio-frequency identification (RFID) tokens or smart cards. Malware authors take advantage of this third party support to load their credential stealer's.

On Windows XP, Microsoft's Graphical Identifcation and Authentication (GINA) interaction is a technique that malware uses to steal user credentials.

Hash Dumping

  • Functions such as "SamIConnect", "SamrQueryInformationUser", "SamIGetPrivateData" are used for hash dumping whereas "SamIGetPrivateData" is used hash extraction and "SamIConnect", "SamrQueryInformationUser" is used for connecting to SAM and calling each user on the system.
  • It also uses functions such as "LsaEnumerateLogonSessions" to obtain list of locally unique identifiers (known as LUIDs), "GetModuleHandle" to get access to credentials by finding a non exported functions using Windows DLL msv1_0.dll and function "NlpGetPrimaryCredential" for dumping the NT and LM hashes.

Pwdump and Pass-the-hash (PSH) are two open source toolkits which provides hash dumping. Both of these toolkits works by performing DLL injection inside Local Security Authority Subsystem Service (LSAAS) process (better known as lsass.exe) and gathering LM and NTLM hashes of local user accounts from the Security Account Manager (SAM).

Attacker's try to grab the hashes in order to crack them offline or to use them in a pass-the-hash attack. A pass-the-hash attack uses LM and NTLM hashes to authenticate to a remote host (using NTLM authentication) without needing to decrypt or crack hashes to obtain the plaintext password to log in.

Keylogging

  • keylogging is a form of credential stealing malware which records keystrokes so that attackers can observe typed data like usernames and passwords.
  • There are two types of keyloggers:
    • Kernel-Based Keyloggers
    • User-Space Keyloggers

User-Space Keyloggers:

  • It uses Windows API and are usually implemented with either hooking or pooling.
  • Hooking uses the Windows API to notify the malware each time a key is pressed, typically with "SetWindowsHookEX" function.
  • Pooling uses the Windows API to constantly poll the state of the keys, typically using the "GetAsyncKeyState" amd "GetForegroundWindow" functions

Persistence Mechanisms

  • Windows Registry
  • AppInit_DLLs
  • Winlogon Notify (Winlogon events such as logon, logoff, startup, shutdown)
  • SvcHost DLLs
  • Trojanized Binaries (By patching system binary to force system to execute malware)

Privilege Escalation

  • If a user launches malware on a system but is not running with administrator rights, the malware will usually performs privilege escalation attack to gain full access.

Using SeDebugPrivilege

  • One way malware can gain access to locked resources is by setting the access token's rights to enable "SeDebugPrivilege".
  • SeDebugPrivilege was created as a tool for system-level debugging, but malware authors exploit it to gain full access to a system level process.