SentinelOne last week announced that it has detected a technique being used in Asia to infect systems with remote access Trojans that ensures that the payload remains in memory throughout its execution and doesn’t touch the victim’s computer disk in an unencrypted state.
Attackers remain hidden from antivirus technologies and next-generation technologies that focus only on file-based threats, according to SentinelOne.
The samples analyzed also can detect the presence of a virtual machine, preventing them from being analyzed in a network sandbox.
Remote access Trojans, or RATs, aren’t new, but the technique is, said Joseph Landry, senior security researcher at SentinelOne.
“We expect to see an increase in fileless-based attacks that execute in memory to avoid detection,” he told TechNewsWorld.
How It Works
The main binary is a packed .NET DLL bearing the name “Benchmark.”
When run, it copies itself to %APPDATA%MicrosoftBlend14.0FeedCachenvSCPAPISrv.exe and extracts a second binary named “PerfWatson.exe.” It then executes both binaries from memory.
A registry key is created at HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad for persistence. That points to the PerfWatson.exe binary.
The RAT then tries to connect back to its control server, chickenkiller.com, which was down when SentinelOne checked. It apparently is owned by a free dynamic DNS service.
More About the Malware
The main executable in the Benchmark .NET DLL contains an XOR-encrypted .NET DLL in its .NET managed resources, as well as the logic to unpack and inject the RAT and monitor the PerfWatson.exe.
The settings for Benchmark and the NanoCore remote administration tool contained in the malware are serialized, DES encrypted, spliced, and stored across multiple PNG files as pixel data, SentinelOne found. The PNG files are concatenated and stored in the main executable’s .NET-managed resources.
Once the encrypted DLL is decrypted, it’s linked into the process using System.Reflection.Assembly.Load(byte[]). That ensures that the DLL will be retained in memory and not written to the filesystem.
The set options are then executed, and the NanoCore payload is injected into a new child process.
Detecting the RAT
SentinelOne detected the RAT because the dynamic behavior tracking engine in its platform “continuously looks for malicious behaviors all the way down to the user-space/kernel-space interface,” Landry said.
Since communications between the payload being executed in memory and the kernel must be unencrypted, SentinelOne can detect execution at both process points — when the Benchmark DLL is injected and when the RAT payload is injected, he noted.
Landry could not specify where in Asia the technique is being used.
Memory-only malware “is not a new threat,” asserted Allison Nixon, director of security research at Flashpoint.
Detecting malware at the entry point of a network before it executes on a target machine “is easier to deal with from a remediation standpoint,” she told TechNewsWorld.
Been There, Seen That
SentinelOne discusses two techniques — decrypting an embedded resource and using .NET Reflection to dynamically load it, and injecting a PE file into a remote process — neither of which is new, said Jason Geffner, principal security researcher at Crowdstrike.
“If you search Google for ‘Assembly.Load malware,’ you’ll see almost 10,000 hits dating back to at least 2009,” he told TechNewsWorld. Injecting a PE file into a remote process is “also a very old and extremely common technique, often referred to as process hollowing or dynamic forking.”
Traditional antivirus engines and next-generation platforms “are designed to handle these specific techniques and have done [so] successfully for a very long time,” Geffner said. Such platforms include Avast, BitDefender, Fortinet, Kaspersky, Panda, and Trend Micro.
Behavior-based technology isn’t the only way to detect the techniques SentinelOne discusses, he pointed out.
“Modern AV engines can efficiently emulate execution of malware using methods such as dynamic translation to detect both of these techniques without the user ever having to execute the malware,” Geffner said. “These emulation techniques will typically not be hindered by the VM detection logic mentioned.”