Jump to content

Malicious registry keys: Reflective injection


Batu69

Recommended Posts

Over the years, we have witnessed how cybercriminals have developed and implemented sophisticated new techniques to outwit users. That being said, one thing has not changed and remains a constant challenge: ensuring perseverance and avoiding detection both by security solutions and the human eye.

In recent months, we have started to receive various reports about suspicious and malicious registry keys that had been created on users’ equipment. For this reason, we decided to explore the subject further and started gathering interesting data which is presented in this article.

As we can see on the map below, our systems have picked up a considerable detection rate, worldwide. It is also evident that Latin American users are a major target for cybercriminals when it comes to carrying out attacks.

1-1.png

Analysis

The attack begins with a mass mailing of malicious JavaScript files attached. Once this has been carried out, they write an entry in the Windows registry with a random name and assign it a base64 encrypted code, as shown in this image:

2-1.png

Following extraction and decoding of the registry contents, we obtained a PowerShell exit code. This scripting language can only be executed and interpreted on Windows platforms, as it was conceived for the management of this system.

The image below displays part of this code, whose purpose is to load a new script into the memory and inject an executable code:

3-2.png

In the following shot, on the left-hand side, we can see the other script mentioned above, which is used in real-time execution. This means that at no point will a file be created on the disk.

The function Invoke-ReflectivePEInjection is the command called up along with the corresponding arguments and parameters in order to inject the bytes of an executable code into the PowerShell process.

In this particular case, the attackers are using a method called reflective injection, which involves an injection of a DLL or EXE file into any process so that it subsequently goes undetected by any monitoring tools. Therefore, the malicious activity is transparent to users, who will only see the legitimate processes running on their system:

4-2.png

Finally, we can uncover the malicious code that was to be injected and run in the memory, (the binary header is indicated in the following image):

5-2.png

This file is a variant of Win32/TrojanDownloader.Wauchos, which is designed to download another malicious file, such as ransomware. When checked, the Wauchos detection rate is found to be very similar in each of the countries listed above:

6-1.png

In summary, cybercriminals generate spam campaigns with malicious JavaScript, which create registry keys containing PowerShell scripts. In turn, these scripts load another script in the same language into the memory and inject a trojan into a process that is running on the system, in order to download yet more malicious code.

This method is used by attackers in order to avoid any type of security solution they may encounter on the victim’s machine.

Taking all of this into account, it is important to be aware of the risks involved in receiving an email or browsing the internet.

Article source

Link to comment
Share on other sites


  • Replies 1
  • Views 541
  • Created
  • Last Reply
straycat19

This is so easy to block it is ridiculous and doesn't require any third party software.  I am going to sound like a broken record but the key to keeping a computer secure is the Software Restriction Policies (SRP).  Unfortunately there is no requirement for anyone to learn about the OS they are using before they buy a computer.  Computer users should be licensed like drivers.  You have to learn the rules of the road and how to use them before you are allowed to operate a computer. Most governments and large organizations have a computer literacy test/training before a person actually starts during their job.  If they fail the test they aren't hired. Similar tests could be given to users by ISPs and if the person fails then their connection is shut off. They can then go to local schools who would offer evening courses in computer user certification and upon successful completion and a test they could get their internet access back.  The only true fix for the rash of malware that has been going around since the invention of windows is user education.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...