Süleyman Özarslan, PhD
|
May 21, 2020

Adversaries emphasize an increased level of stealth, persistence, and privilege in their advanced cyber attacks. As a mechanism that can provide these features, it is not surprising that Process Injection is the most frequently used technique.

The purpose of this blog post is to review:

  • the fundamentals of the process injection technique, 
  • the most used target processes for injection, 
  • its use cases by threat actors, and 
  • red, blue, and purple teaming exercises for this technique.

Introduction

It is easy to detect malware processes by listing the running processes and filtering out legitimate ones that are part of the operating system or installed software. If the malware can encapsulate its malicious code within a legitimate process, it will hide on the infected system. Process injection is in fact an “old but gold” technique consisting in running arbitrary code within the address space of another process. As a result, this technique enables access to the target process’s memory, system, and network resources. 

On this account, the technique provides three significant benefits for adversaries:

  • Executing code under a legitimate process may evade security controls. The legitimate process camouflages the malicious code to evade detection since it is whitelisted.
  • Since the malicious code executed inside the legitimate process’s memory space, it may also evade disk forensics.
  • If the target process has elevated privileges, this technique will enable privilege escalation. For example, if the target process has access to network resources, the malicious code can communicate legitimately over the Internet and with other computers on the same network.

Processes Targeted by Adversaries for Process Injection

Security controls may quickly detect custom processes. Therefore, threat actors use common Windows processes such as:

  • Built-in native Windows processes including explorer.exe, svchost.exeregsvr32.exe, dllhost.exe, services.exe, cvtres.exe, msbuild.exe, RegAsm.exe, RegSvcs.exe, rundll32.exe, arp.exe, PowerShell.exe, vbc.exe, csc.exe, AppLaunch.exe and cmd.exe
  • Processes of common software including iexplore.exe, ieuser.exe, opera.exe, chrome.exe, firefox.exe, outlook.exe, and msinm.exe

Target Process Selection Methods

Adversaries use the following methods when picking their target process for malicious code injection:

  • A specific target process is called out in the code. In this case, explorer.exe and svchost.exe are the most commonly used ones.
  • A list of target processes is defined in the code. For example, the Turla cyber espionage group’s Carbon backdoor includes a configuration file consisting of a list of target processes for injection[1]. A typical list includes native Windows and browser processes.
  • In some attack scenarios, the target process is not previously defined, and a suitable host process is located at runtime in this type of attack. For example, the CopyKittens group used Windows API functions to extract a list of currently active processes and to get a handle to each target process in its campaign[2]

Use Cases by Malware and Threat Actors

Malware

Threat Actor

Target Industries

Target Geographies

Target Process

Backdoor.Oldrea [3]

Dragonfly

Energy

US, Europe

explorer.exe

BlackEnergy [4]

-

Energy, Government

Ukraine

svchost.exe

Cardinal RAT [5]

-

All

All

RegAsm.exe, RegSvcs.exe, vbc.exe, AppLaunch.exe, cvtres.exe

Denis backdoor [6]

APT32

Government, Media

East Asia

rundll32.exe, svchost.exe, arp.exe, PowerShell.exe

Downdelph downloader [7]

APT28

Government

US, Europe

explorer.exe

Dropper (unnamed) [8]

Putter Panda

Government, Telecommunication, Defense, Research, Technology, Aerospace

US, Europe

msinm.exe, outlook.exe, iexplore.exe, firefox.exe

Emotet banking malware [9]

-

All

All

explorer.exe

Kazuar backdoor malware [10]

Turla

Government, Military, Defense

US, Europe, Middle East

explorer.exe

RAT (unnamed) [11]

Emissary Panda

Energy, Government, Technology, Manufacturing

Middle East, Central Asia

svchost.exe

Rokrat RAT [12]

APT37

Government, Finance

Middle East, East Asia

cmd.exe

TClient backdoor malware [13]

Tropic Trooper

Government, Healthcare, Transportation, High-Tech

East Asia

dllhost.exe

Tidyelf dropper malware [14]

APT41

Healthcare, Technology, Telecommunications, Media, Education, Retail

Europe, East Asia, Middle East, US

iexplore.exe

Trickbot banking malware [15]

-

All

All

svchost.exe

Trojan (unnamed) [16]

Gorgon Group

Government

US, Europe

cvtres.exe, MSBuild.exe

Trojan (unnamed)[17]

Kimsuky 

Government, Defense, Logistics

South Korea

explorer.exe

ZxShell RAT [18]

Group 72

Manufacturing, Aerospace, Defense, Media

US, East Asia

svchost.exe

Example Process Injection Method: Reflective DLL Injection

Reflective DLL injection (loading) is one of the most used process injection methods employed by adversaries. This method allows injecting and executing a DLL inside another process by creating a DLL that maps itself into memory when executed, instead of relying on Window’s API’s loader calls. This technique avoids storing the DLL on disk and calling the Windows API’s LoadLibrary that might be detected by security tools.

Red Teaming - How to simulate?

Powersploit’s Invoke-ReflectivePEInjection [19] module can be used to simulate the reflective DLL injection technique. In addition to loading a DLL or EXE into the PowerShell,  It can reflectively load a DLL into a remote process. Because of its capabilities, adversaries are also using this module for injection, such as the Turla APT Group [20].

The below command is a simulation of reflective DLL injection using the Invoke-ReflectivePEInjection module. With this command, contents of the calc.exe file are read into the $PEByte byte array using the ReadAllBytes [21] method. Then the byte array containing the calc.exe is loaded and executed locally using the -PEBytes parameter.

 

powershell -c "Unblock-File %TMP%\Invoke-ReflectivePEInjection.ps1;

Import-Module %TMP%\Invoke-ReflectivePEInjection.ps1;$PEBytes = [IO.File]::ReadAllBytes('%windir%\System32\calc.exe'); Invoke-ReflectivePEInjection -PEBytes $PEBytes"

Blue Teaming - How to detect?

image2Sigma Rule

To detect the reflective DLL injection technique, we need logs that include PowerShell activities. Event log entries in the Microsoft-Windows-PowerShell/Operational log includes such activities. The Event ID 4104 (script block logging) records accurate blocks of code as they are executed by the PowerShell engine. Script block logging captures the de-obfuscated full contents of the code as it is executed, including scripts and commands, as shown in the following figure.

image1

When the DLL is injected into the target process, the malware has to map the DLL’s raw binary into virtual memory. It uses  kernel32.dll and VirtualAlloc, GetProcAddress, and LoadLibraryA functions to get the correct address of the injected export function. Picus Labs’ Blue team developed the following Sigma rule by taking advantage of this finding mechanism and utilizing the Microsoft-Windows-PowerShell/Operational log with the Event ID 4104

 

title: Reflective Portable Executable Injection via PowerShell

status: stable
description: Detects the attempt of reflective portable executable (DLL/EXE) injection by PowerShell that uses API calls. This method is used by adversaries to evade detection from security products since the execution is masked under a legitimate process.
author: Picus Security
references:
    - https://attack.mitre.org/techniques/T1055/
    - https://attack.mitre.org/tactics/TA0004/
    - https://attack.mitre.org/tactics/TA0005/
logsource:
    product: windows
    service: powershell/operational
    definition1: 'Requirements: Group Policy : Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn On Module Logging'
    definition2: 'Requirements: Group Policy : Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn On PowerShell Script Block Logging'
detection:
    selection:
        EventID: 4104
    keyword1:
        - '*kernel32.dll*'
    keyword2:
        - '*LoadLibraryA*'
    keyword3:
        - '*GetProcAddress*'
    keyword4:
        - '*VirtualAlloc*'
    condition: All of them
falsepositives:
    - Unlikely, legitimate use in red teaming activities
level: high
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
    - attack.ta0004
    - attack.ta0005

Splunk SPL Query

(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4104" "*kernel32.dll*" "*LoadLibraryA*" "*GetProcAddress*" "*VirtualAlloc*")

IBM QRadar AOL Query

(LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and EventID='4104' and UTF8(payload) ilike '%kernel32.dll%' and UTF8(payload) ilike '%LoadLibraryA%' and UTF8(payload)

Yara Rule

The following YARA rule can be used to detect PowerShell scripts used for reflective DLL injection. This rule detects both Powersploit’s Invoke-ReflectivePEInjection module and Mimikatz’s PE Reflective Injection method [22].

 

rule power_pe_injection
{
meta:
description = "PowerShell with PE Reflective Injection"
author = "Benjamin DELPY (gentilkiwi)"

strings:
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"

condition:
$str_loadlib
}

 

Appendixes

Appendix A - Aliases of Threat Groups

Threat Group

Aliases

APT28

Sednit, Sofacy, Fancy Bear

APT32

OceanLotus

APT37

Group 123, Reaper

Dragonfly

Energetic Bear

Emissary Panda

TG-3390, APT 27, Bronze Union

Group 72

Axiom

Putter Panda

APT2

Tropic Trooper 

KeyBoy

 

Appendix B - Aliases of Malware Families

Malware

Aliases

Backdoor.Oldrea

Havex

ZxShell RAT

Sensocode

References

[1] ESET Research, “Carbon Paper: Peering into Turla’s second stage backdoor | WeLiveSecurity,” WeLiveSecurity, 30-Mar-2017. [Online]. Available: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/. [Accessed: 13-Apr-2020].

[2] Minerva Labs LTD, ClearSky Cyber Security, “CopyKittens Attack Group.” [Online]. Available: https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf. [Accessed: 13-Apr-2020].

[3] Symantec Security Response, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers.” [Online]. Available: https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Symantec%20-%20Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf. [Accessed: 13-Apr-2020].

[4] F-Secure, “BlackEnergy & Quedagh The convergence of crimeware and APT attacks.” [Online]. Available: https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf. [Accessed: 13-Apr-2020].

[5] J. Grunzweig, “Cardinal RAT Active for Over Two Years,” Unit42, 20-Apr-2017. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-cardinal-rat-active-two-years/. [Accessed: 13-Apr-2020].

[6] Cybereason, “Operation Cobalt Kitty.” [Online]. Available: https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf. [Accessed: 13-Apr-2020].

[7] “En Route with Sednit Part 3: A Mysterious Downloader,” Eset. [Online]. Available: https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf. [Accessed: 13-Apr-2020].

[8] CrowdStrike, “CrowdStrike Intelligence Report PUTTER PANDA.” [Online]. Available: https://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf. [Accessed: 13-Apr-2020].

[9] “Emotet Malware | CISA.” [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA18-201A. [Accessed: 13-Apr-2020].

[10] B. Levene, R. Falcone, and T. Halfpop, “Kazuar: Multiplatform Espionage Backdoor with API Access,” Unit42, 03-May-2017. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/. [Accessed: 13-Apr-2020].

[11] nccgroup, “Emissary Panda – A potential new malicious tool.” [Online]. Available: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/. [Accessed: 13-Apr-2020].

[12] “Threat Analysis: ROKRAT Malware | VMware Carbon Black,” VMware Carbon Black, 27-Feb-2018. [Online]. Available: https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/. [Accessed: 13-Apr-2020].

[13] T. Micro, “Tropic Trooper’s New Strategy - TrendLabs Security Intelligence Blog,” 14-Mar-2018. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/. [Accessed: 13-Apr-2020].

[14] FireEye, “Double Dragon APT41, a dual espionage and cyber crime operation.” [Online]. Available: https://www.fireeye.com/content/dam/collateral/en/rpt-apt41-2019.pdf. [Accessed: 13-Apr-2020].

[15] S2 Grupo, “Evolution of Trickbot.” [Online]. Available: https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf. [Accessed: 13-Apr-2020].

[16] R. Falcone, D. Fuertes, J. Grunzweig, and K. Wilhoit, “The Gorgon Group: Slithering Between Nation State and Cybercrime,” Unit42, 02-Aug-2018. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/. [Accessed: 13-Apr-2020].

[17] D. Tarakanov, “The ‘Kimsuky’ Operation: A North Korean APT?” [Online]. Available: https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/. [Accessed: 13-Apr-2020].

[18] Talos Group, “Threat Spotlight: Group 72, Opening the ZxShell - Cisco Blogs,” Cisco Blogs, 28-Oct-2014. [Online]. Available: https://blogs.cisco.com/security/talos/opening-zxshell. [Accessed: 13-Apr-2020].

[19] PowerShellMafia, “PowerShellMafia/PowerSploit,” GitHub. [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 13-Apr-2020].

[20] ESET, “A dive into Turla PowerShell usage.” [Online]. Available: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/. [Accessed: 13-Apr-2020].

[21] dotnet-bot, “File.ReadAllBytes(String) Method (System.IO).” [Online]. Available: https://docs.microsoft.com/en-us/dotnet/api/system.io.file.readallbytes. [Accessed: 13-Apr-2020].

[22] gentilkiwi, “gentilkiwi/mimikatz,” GitHub. [Online]. Available: https://github.com/gentilkiwi/mimikatz. [Accessed: 13-Apr-2020].

 

Süleyman Özarslan, PhD

About the Author

Süleyman Özarslan, PhD
|
VP, Picus Labs, Founder A true security enthusiast with extensive experience in ethical hacking, cyber defense, computer networks, and cryptography.
VP, Picus Labs, Founder A true security enthusiast with extensive experience in ethical hacking, cyber defense, computer networks, and cryptography.

Share

Trusted by Leading Global Companies

Akbank
Exclusive Networks
Garanti
ING Bank
QNB Finansbank
Turkcell
Vodafone
Yapı Kredi
Datasheet Request Demo Join our Newsletter