Last Updated: 2023-11-09 08:10:52 UTC
by Xavier Mertens (Version: 1)
Code injection techniques (T1055 from MITRE) is a common technique these days. It’s a nice way for an attacker to hide malicious code into a legit process. A deviation of this technique is called “Process Hollowing” where code of the legit suspended process is wiped and replaced by malicious code. Code injection is performed by calling Microsoft API calls like: VirtualAllocEx(), NtUnmapViewOfSecrio(), WriteProcessMemory(), ... (they are many others available)
When I’m teaching FOR610, many students are wondering why such API calls are provided by Microsoft to perform so dangerous actions. Indeed, there is no “hacking magic”. Microsoft supports them. for them, it’s difficult to "see" how such program behaves.
I spotted an interesting sample that perform this technique and I was able to collect “visible” information. The malware was delivered through a phishing email with a ZIP archive. The executable is called “deposit q.exe” (SHA256:e3471a6c13327493f5d5990cce84c095e66d83a4554e01f3eb891c15750acf60). The malware downloads a payload from OneDrive:
It drops multiple files to implement persistence:
- C:\Program Files (x86)\Rs8jlix\nxvxu6jfj49.exe
The malware creates a SndVol.exe process (the official Microsoft tool to manage audio volume on the system). Then it injects a thread into SndVol.exe as soon on the following picture (generated with ProcDOT):
In the same sandbox, I found later the following process (ipconfig.exe), which also looks legit but it performs malicious activity:
The ipconfig.exe process is trying to contact C2 servers.
I identified the following hostnames:
Note that injection in another (or the local) procress, can be performed from any programming languages, also scripts! I found plenty of techniques in PowerShell, Python, VBS, ...
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant