Fileless malware and detection methods in Windows OS

This article will discuss the basic methods of evading malware from detection by injecting legitimate processes into the memory, the main highlight which is that malware lives only in RAM, leaving no trace on ROM. The good thing about these methods is that once the production machine is rebooted, no computer forensics specialist will be able to tell what happened, because all the artifacts will be erased.

Just imagine: you are an ordinary user of a domain machine, an employee of some organization, to whom the boss sent a set of documents. You open the file, read it, without even noticing that in the mail only one letter has been replaced with a very similar one. Meanwhile, the malware is already in full swing stealing credentials from your workstation. You finish your work, turn off your computer and the traces of the attack are gone.

This is a fairly typical situation, which can be dealt with in various ways that do not relate to the topic of my article. However, there is a rather important task for attackers: How to avoid detection of SABZ in order to to the glory work in the system and not be noticed? This is exactly what will be discussed. Consider methods like

Process Hollowing (injection into an empty process)

The main essence of the Process Hollowing technique is to create a legitimate process in a suspended state (SUSPEND) and overwrite its address space with malicious code that can be loaded over the network or from disk in an obfuscated form (to avoid alerts during static analysis by means of AIA) and subsequently removed during execution.
The key difference between this technique and methods with the introduction of a DLL or PE file into the process is the complete rewriting of the code of a legitimate process, which ceases to function in its original form, leaving only a line in Process Explorer with an inconspicuous name.

By the way, when using Process Hollowing, only the address space, which includes the executable code, is overwritten, and structures PEB (process environment block) remain untouched.

So, what are the stages from the launch of a legitimate process to the start of execution of the malicious code?

1. Using the function CreateProcess WinAPI starts a legitimate process with the flag SUSPEND (the process will be created with the main thread suspended).

2. Clear the address space of the target process from native code.

3. Allocate a new addressable memory area with security bits PAGE_EXECUTE_READWRITE.

4. We load the malicious code into the prepared memory area using WriteProcessMemory.

5. Change the entry point of the suspended thread to the address of the injected code.

6. Modify PEB to point to the base address of the replaced image in the suspended process.

7. Resuming a suspended process thread. ResumeThread(pi.hThread);

Here are some tools to implement this method:

1. https://github.com/EmreOvunc/Process-Injection-Process-Hollowing-T1055.012

2. https://github.com/m0n0ph1/Process Hollowing

Now that the very mechanism for implementing such an attack is clear, we can begin to analyze the detection methods. I will show the whole process on the example of one of the laboratory malwarecookbook.

Non-standard parent-child relationship

Most often, attackers try to disguise a malicious process as something as inconspicuous as possible, such as lsass.exe, svchost.exe, and other executable files digitally signed by Microsoft. For processes such as lsass.exe, you should pay attention to their number, since some of the services, including the aforementioned one, usually run in a single instance in the system and only then are used by other applications and system components. Consider our example.
Let’s define the system under study and look at the process tree.

Let’s pay attention to the fact that we have as many as 3 lsass.exe processes, 2 of which (PID 868, 1928) are children of services.exe, which is completely non-standard for Windows XP, where lsass has always been a child of winlogon.exe. This fact already suggests the use of Process Hollowing.

Non-standard security bits

Injection into an empty process can also be detected by scanning process memory pages for non-standard security bits. PAGE_EXECUTE_READWRITE. This indicates that the code executing in the context of this process was forced into the address space. (In a legitimate start, the security bits are most often set to PAGE_EXECUTE_READCOPY).

In this case, we see that the memory page with the address 0x1000000 just fits this sign, and its address matches the base address of the lsass.exe process (PID 868), which indicates that the executable code of the process has been tampered with.

PEB and VAD inconsistency

VAD – Virtual Address Descriptor is used by the Windows memory manager to describe the ranges of memory used by a process as they are allocated. When a process allocates memory with VirtualAllocthe memory manager creates an entry in the VAD.

This detection method is based on comparing the PEB and VAD structures, specifically a pointer to the location of the executable file on disk.
Let’s check the indicated structures for inconsistency for the already suspected process with PID 868.

We see that the information taken from the unmodified PEB points to the lsass.exe executable file on the disk
C:\WINDOWS\system32\lsass.exe.
Let’s check the VAD structure.

Immediately striking is the absence of this path on the disk when analyzing VAD. That’s the inconsistency! You can also notice that the original process code was never started, because the process was created with the flag SUSPEND. This is indicated by False in the InInit column.
Let’s check our assumption about the maliciousness of this process, extract the executable load from memory and send it to VirusTotal

We see that we have successfully discovered the use of Process Hollowing.

This method of hiding malware in the system is gradually losing its popularity due to the emergence of more advanced techniques, but at a certain point in time it was widely used by attackers. For example, such malware how TrickBot, Kovter, Dridex, Poweliks used this method to hide from antiviruses. At the moment, the technique has already been deeply studied and is rarely used in computer attacks.

Process Doppelganging (twin process)

This technique appeared in 2017 and was first shown at the Black Hat Europe 2017 conference. It is the next stage in the development of the already considered Process Hollowing and is based on the use of the NTFS (TxF) transaction mechanism.

TxF is a technology that appeared in Windows Vista and is supported by subsequent versions of Windows that allows you to perform file operations using transactions, providing support for atomicity, consistency, isolation, and reliability. The technology allows performing atomic operations on a file or several files.

The idea of ​​this method is to create an NTFS transaction with an empty transactional file, load malicious code into it and map its contents into memory, and then rollback the transaction. Thus, it turns out that due to the rollback of the transaction, no changes were made to the disk, and the code mapped to memory remains hidden under the guise of good process.
Let’s consider the attack mechanism in more detail:

1. Create a transaction using CreateTransaction.

2. Open a clean transactional file using CreateFileTransactedA.

3. We overwrite the received file with malicious code.

4. We create a memory section to which a transactional file with malicious code is mapped using NtCreateSection.

5. We create process entities and its main stream with a start address equal to the entry point of the malicious code.

6. Change process parameters in its address space.

7. Start the main thread of the process with ResumeThread.

Here is an example of a utility that implements this technique:

The use of this technique is quite difficult to detect by examining a memory dump using digital forensics methods, however it has the disadvantage that it uses enough rare WinAPI functions. Immediately after the report at the conference in 2017, antivirus software vendors paid attention to this and added capture these functions in the list of protection mechanisms. Thus, any processes that call the Windows API functions to work with TxF automatically fall under suspicion.

By the way, this technique was used with might and main by such malwarelike SynAck, Osiris, Bazar Loader, LokiBot, SmokeLoader, AZORult and others.

Detection by means of AVZ

Antiviruses monitor calls to Windows API functions using various methods and techniques:

1. Hooking: Antivirus can install special hooks for Windows API functions to intercept calls to these functions. When the function is called, the hook takes control and allows the antivirus to perform additional checks or block if suspicious activity is detected.

2. Heuristic Analysis: Antivirus programs can use heuristic analysis to detect suspicious calls to Windows API functions. This is based on predefined rules and algorithms that help identify potentially malicious behavior.

3. Behavioral analysis: Anti-Virus can monitor the behavior of the program and analyze calls to Windows API functions in the context of other program actions. If suspicious behavior or unusual API calls are detected, the antivirus can take action to block or remove the program.

All of these methods and techniques are used together for maximum efficiency in detecting and blocking malware based on Windows API function calls.

Parsing the _EPROCESS Structure

On systems with versions of Windows below version 10, detecting the fact that this technique was used was quite difficult. The only option to at least somehow analyze the twin process for its harmfulness was to check the structure FileObject. However, since the advent of Windows 10, _EPROCESS new entities have been added. We are interested in one particular field – ImageFilePointerand specifically the offset of this pointer and its value.
Let’s analyze this detection method using the example of one of the old laboratory resources CyberDefenders.

We will use Volshell to analyze processes.

python3 volshell.py -f lab.vmem -w
// -w указывает на то, что исследуемая система - Windows

Next, from volatility, you need to take the base address of this process in memory.
In order to jump into the address space of the process, and specifically into the _EPROCESS structure, enter
dt('_EPROCESS', <baseOffset>)

In the image we see a pointer ImageFilePointer and its meaning. This is a normal unremarkable process, namely notepad.exe.

Now let’s check the suspect process.

We see that the pointer value is zero, which indicates the use of Process Doppelganging. When using volatility 2, the result will look slightly different, namely the offset value ImageFilePointer will be NULL. This is due to slight differences in the mechanisms of their work.

Conclusion

Summing up, we can say that attackers do not stand still and every day they come up with new ways to bypass antiviruses and hide malware from prying eyes. The purpose of this article was to bring together information about the most common techniques for hiding fileless malware and give an initial idea of ​​​​how to detect it.

Process Doppelganging and its older brother Process Hollowing are already on the way out, giving way to Process Ghosting and Process Herpaderping, which are much more complex. But in any case, you need to know how the era of fileless threats began and have the knowledge to detect them in your arsenal.