{"id":6907,"date":"2017-03-08T23:01:16","date_gmt":"2017-03-09T07:01:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/08\/news-698\/"},"modified":"2017-03-08T23:01:16","modified_gmt":"2017-03-09T07:01:16","slug":"news-698","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/08\/news-698\/","title":{"rendered":"Uncovering cross-process injection with Windows Defender ATP"},"content":{"rendered":"

Credit to Author: msft-mmpc| Date: Thu, 09 Mar 2017 06:16:01 +0000<\/strong><\/p>\n

Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>) is a post-breach solution that alerts security operations (SecOps) personnel about hostile activity. As the nature of attacks evolve, Windows Defender ATP must\u00a0advance so that it continues to help SecOps personnel uncover and address the attacks.<\/p>\n

With\u00a0increasing security investments from Microsoft\u2014<\/span><\/span>read how Windows 10 continues to raise the bar<\/a> against a spectrum of attacks\u2014<\/span><\/span>and other vendors, the cost and complexity of delivering successful exploits has swelled. For example, the trend towards virtualization-based security is forcing attacks to\u00a0incorporate at least two exploits: one to compromise the sandboxed application and another to break out of the sandbox.\u00a0We are now seeing\u00a0exploit developers charge as high as hundreds of thousands of dollars for remote code execution and kernel exploits, pricing out some attackers\u00a0from the market.<\/p>\n

Unfortunately, advanced and apex attackers (see Figure 1) can still afford to\u00a0develop or\u00a0purchase zero-day exploits. To protect their investments, these attackers put more emphasis in\u00a0evading detection.\u00a0They rely heavily on in-memory attacks and kernel privilege escalation to avoid touching the disk and remain extremely stealthy.<\/p>\n

\"Attacker<\/p>\n

Figure <\/em>1<\/em>. Attacker proficiency and associated techniques<\/em><\/p>\n

This blog post kicks off a three-part series showcasing the investments made by Microsoft to enhance instrumentation and detection of in-memory techniques. The series covers detection improvements for cross-process code injection, kernel escalation and tampering, and in-memory exploitation. In this first post, we focus on cross-process injection and illustrate how enhancements that will be available in the Creators Update for Windows Defender ATP<\/a> detect a broad set of attack activity: from commodity malware that attempt to hide from plain view to sophisticated activity groups that engage in targeted attacks.<\/p>\n

Cross-process injection for stealth and persistence<\/h2>\n

Cross-process injection can be used to provide an attacker more visibility into normal processes. For example, injected code can record keystrokes sent to an affected process. At the same time,\u00a0this method\u00a0hides malicious code and enables process migration, which can be used for organizational persistence.<\/p>\n

Cross-process injection is inherently stealthy because it conceals malicious code inside benign processes. Even when a process has been injected with malicious code, its loaded images (the executable and library files associated with the process) continue to point to legitimate files on disk as shown in Figure 2. This shows a clear advantage over running malicious code in its own process space, which necessitates that the code reside on disk as an image file that is subject to inspection by antimalware and is easily recovered as forensic evidence.<\/p>\n

\"Loaded<\/p>\n

Figure <\/em>2<\/em>. Loaded images of rundll32.exe appear normal even when injected with malware code<\/em><\/p>\n

By enabling process migration, cross-process injection allows attacks to stay active. In a drive-by-download attack, for instance, an attacker can gain control of the browser process and disable its sandbox. To execute malicious code beyond the lifecycle of the browser, which may terminate at any time, the attacker migrates the malicious code to a long-lived process, such as winlogon.exe, using cross-process injection. The risk of a user powering down the machine and erasing the malware remains, but an apex attacker overcomes this by staying active on multiple devices on the enterprise network. If one device is indeed restarted and the malicious code erased, the attacker can easily move laterally back to that device.<\/p>\n

Digging deeper into cross-process injection<\/h2>\n

Cross-process injection is basically a two-fold process.<\/p>\n

First, malicious code is placed into a new or existing executable page within a remote process. Attackers typically use the Win32 APIs VirtualAllocEx<\/em> and CreateFileMapping\/MapViewOfSection<\/em> to allocate new executable pages. They then use VirtualProtectEx<\/em> to turn existing pages into executable and writeable pages.<\/p>\n

Next, the injected malicious code is executed through control of the thread and execution context. In many notable cases, attackers use the API CreateRemoteThread<\/em> to create a new thread in a remote process. They then use APIs SetThreadContext<\/em> and QueueUserAPC<\/em> to redirect the existing thread to an arbitrary address.<\/p>\n

While there are legitimate uses for the aforementioned APIs\u2014they are used for debugging, diagnostics, management, and security\u2014particular combinations of process names and execution behaviors often indicate malicious activity. For the technically inclined, techniques such as process hollowing (described\u00a0by Tan Chew Keong in his paper “Dynamic Forking of Win32 EXE”)\u00a0\u00a0and more obscure theoretical attacks such as AtomBombing<\/a> are good examples of these malicious combinations.<\/p>\n

Instrumentation and detection in Windows Defender ATP<\/h2>\n

In Creators Update for Windows Defender ATP, we have instrumented related function calls and built statistical models to detect a broad range of malicious injection techniques used in the wild. To\u00a0determine how these enhancements effectively uncover hostile activities that leverage cross-process injection, we tested the enhancements against the following real-world cases: a targeted attack, a remote access tool (RAT), and cryptocurrency mining malware.<\/p>\n

Targeted attack by GOLD<\/h3>\n

GOLD is an activity group that primarily seeks out intellectual property and other valuable digital assets. This activity group has an interesting way of obtaining a foothold in enterprise networks. Instead of actively pursuing targets through spear-phishing, GOLD uses established distribution sites for license-key generators (keygens) to infect a wide array of victims\u2014all users who download and execute keygens from the distribution sites. The group then assesses each of the victims and aggressively pursues those in certain industries.<\/p>\n

As a user launches a keygen package downloaded from the website operated by GOLD, the package drops two executables: the actual keygen and the Gatak<\/a> malware implant. Gatak proceeds to inject itself into one of the many legitimate system processes using the CreateRemoteThread<\/em> API. The sample we tested launches the rundll32.exe<\/em> process, allocates memory in the process, writes malicious code to that location, and executes the malicious code\u00a0using CreateRemoteThread<\/em> calls. Upon successful injection, Gatak removes itself from disk. Meanwhile, code injected in the rundll32.exe<\/em> process communicates with command-and-control (C&C) servers, giving GOLD attackers control over the infected device.<\/p>\n

With Creators Update, Windows Defender ATP will uncover breaches involving Gatak by detecting its cross-process injection technique, among other detection mechanisms it can use. Figure 3 shows the alert on the Windows Defender ATP Creators Update portal.<\/p>\n

\"Detection<\/p>\n

Figure <\/em>3<\/em>. Detection of Gatak malware implant injecting into rundll32.exe<\/em><\/p>\n

Fynloski RAT<\/h3>\n

The second piece of malicious activity we used to test our new detections for cross-process injection is a variant of the Fynloski<\/a> remote access tool (RAT). This RAT was freely available until 2012 and is still in use today in multiple attack campaigns. It provides a broad set of functionality, including capturing screenshots, exfiltrating files, and recording keystrokes. It is distributed by different vectors, including spear-phishing, downloaders, and exploit kits.<\/p>\n

Instead of using the more common CreateRemoteThread<\/em> cross-process injection technique described in preceding sections, Fynloski leverages the QueueUserAPC<\/em> API to hide its presence. QueueUserAPC <\/em>is a function for requesting the execution of procedures asynchronously. Attackers can use QueueUserAPC<\/em> to inject arbitrary code cross-process by provisioning malicious code in the target process and pointing QueueUserAPC<\/em> to execute this code.<\/p>\n

With Creators Updates, Windows Defender ATP will detect these API calls and display an alert with a corresponding timeline that outlines this behavior as shown in Figure 4.<\/p>\n

\"Fynloski<\/p>\n

Figure <\/em>4<\/em>. Fynloski RAT injecting into notepad.exe<\/em><\/p>\n

Commodity malware for cryptocurrency mining<\/h3>\n

Commodity malware uses cross-process injection techniques for the same reason attackers use them in targeted attacks\u2014they want to remain hidden long enough to accomplish their objectives.<\/p>\n

In this article, we dissect the CoinMiner<\/a> malware, which steals computing resources to mine cryptographic currencies such as Bitcoins. It uses SetThreadContext<\/em> API for cross-process injection, copying malicious code into allocated executable memory similar to the CreateRemoteThread <\/em>technique. To execute the malicious code, it first obtains a list of existing threads from the target process using CreateToolhelp32Snapshot<\/em> API. It then modifies the control registers of a thread to point to the memory address of the injected malicious code using the SetThreadContext<\/em> API.<\/p>\n

Our sample of CoinMiner launches notepad.exe<\/em> and injects its mining code into that process. Subsequently, the affected notepad.exe<\/em> process connects to the Monero Mining Pool (xmr[.]crypto-pool[.]fr) to submit mined cryptocurrency. Windows Defender ATP, as shown in Figure 5, will detect the injection technique and provide important context, such as the connection to the mining pool, to help SecOps personnel understand and address the infection.<\/p>\n

\"Event<\/p>\n

Figure <\/em>5<\/em>.<\/em> Event timeline view of CoinMiner infection<\/em><\/p>\n

Conclusion: Creators Update is ready for a mix of cross-process injection methods<\/h2>\n

Like other in-memory techniques, cross-process injection\u00a0can evade antimalware and other security\u00a0solutions that focus on inspecting files on disk. With Creators Update, Windows Defender ATP will provide\u00a0SecOps personnel with additional capabilities to uncover malicious activities leveraging cross-process injection.\u00a0By leveraging statistical models and\u00a0analyzing large data sets\u00a0in the cloud, these enhancements cover code injection techniques used in a variety of attacks, including commodity malware infections and sophisticated breaches.<\/p>\n

Windows Defender ATP also provides detailed event timelines as well as other contextual information that SecOps personnel can use to\u00a0quickly understand the nature of attacks and take response actions<\/a>.<\/p>\n

For more information about Windows Defender ATP, check out its features and capabilities<\/a> and read about why a post-breach detection approach is a key component of any enterprise security stack<\/a>. Several features planned for release with\u00a0Creators Update\u00a0are currently\u00a0available to all users as part of the public preview<\/a>.<\/p>\n

Windows Defender ATP is built into the core of Windows 10 Enterprise and can be evaluated free of charge<\/a>.<\/p>\n

 <\/p>\n

Threat indicators<\/h4>\n

Hashes<\/p>\n