How to protect against malicious code leakage in Windows system

Windows 10 Creators has allowed us to update with security enhancements including improvements in Windows Defender Advanced Threat Protection. These improvements will keep users protected from threats like KopyPast and Dridex Trojans, says Microsoft. Apparently, Windows Defender ATP can detect code injection techniques associated with these threats, such as Empty Processing and Atomic Bombs. Already used by many other threats, these methods allow malware to infect computers and engage in various despicable activities while remaining stealthy.

Handle Empty
The process of spawning a new instance of a legitimate process and “emptying it out” is known as Empty Process. It’s basically a code injection technique where legitimate code is replaced with malicious software. Other injection techniques simply add a malicious feature to the legitimate process, nullifying the results in the process that appear legitimate but mostly malicious.

Empty Process used by KopyPast

Microsoft tackles the empty problem as one of the biggest, it’s used by KopyPast and many other malware families. This technique has been used by malware families in less file-less attacks, where the malware leaves negligible traces on disks and stores and only executes code from memory. of the computer.

KopyPast, a click fraud family that has recently been observed to associate with ransomware families like Locky. Last year, in November, KopyPast, was found responsible for a large spike in new versions of malware.

KopyPast is distributed mainly through phishing emails, it hides most of its malicious components through registry keys. KopyPast then uses native applications to execute the code and perform the injection. It achieves persistence by adding shortcuts (.lnk files) to the startup directory or adding new keys to the registry.

Two registry entries are added by the malware so that its component file is opened by the legitimate program mshta.exe. The component extracts an obfuscated payload from a third registry key. A PowerShell script is used to execute an additional script to inject shellcode into a target process. KopyPast uses the empty process to inject malicious code into legitimate processes through this shellcode.

Atom bomb
Atom Bombing is another code injection technique that Microsoft claims to block. This technique relies on malware that stores malicious code inside the atomic table. These tables are shared memory tables where all applications store information about strings, objects, and other data types that require daily access. Atom Bombing uses asynchronous procedure calls (APC) to get the code and insert it into the memory of the target process.

Dridex soon accepted the atomic bomb

Dridex is a banking trojan first discovered in 2014 and one of the first to use an atomic bomb.

Dridex is mainly distributed via spam email, it is mainly designed to steal banking information and sensitive information. It also disables security products and provides attackers with remote access to victim computers. Threats remain stealthy and stubborn through avoiding common API calls associated with code injection techniques.

When Dridex is executed on the victim’s computer, it looks for a target process and ensures user32.dll is loaded by the process. This is because it needs the DLL to access the necessary atomic table functions. The malware then writes its shellcode to the global atom table, furthermore it adds the NtQueueApcThread commands for GlobalGetAtomNameW to the target process thread’s APC queue to force it to copy the malicious code into memory.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *