Malware

• Malwares
  • Fileless Malware
  • Two-stage Deployment
  • Actions on Objective
  • Concealment
• Malware Delivery
  • Common Deployment Techniques
  • Living off the Land

Malwares

A malware is a software that is detrimental to the operations of the host. In the old days, all malware starts out as a virus, which spreads across a network and replicates only through definite user interaction.

A malware attack is an exploit technique is a specific method by which malware code infects a target host.

• Malware can assert malicous macro into a document file.
• Other malware focused on infecting the memory or other resources.
• Modern malware uses file-less techniques to avoid detection.

PUPs or Potentially Unwanted Programs are softwares that may have negative or undesirable effects.

• Crapware, adware, spyware, bloatware

Fileless Malware

Used to create a process in the system memory without relying on the local file.

• Difficult to detect; leaves very few traces of indicators of compromise.
• Some temporarily write data, but they also erase those artifacts after execution.

Two-stage Deployment

Most modern malware uses a two-stage deployment.

Step 1: Dropper or Downloader

• When a user clicks a malicious link, opens a malicious file, which then installs the malware.
• Usually created as a lightweight shell code that can be executed on a given system.
• Dropper - Initiates/runs malware forms within a payload on an infected host.
• Downloader - Retrieves additional tools after the initial infection by the dropper.
• Shellcode - lightweight code meant to execute an exploit on a given target.

Step 2: Downloader

• Another downloader, installs remote access trojan (RAT).
• For Command and Control on the victimized system.

Actions on Objective

Once the attacker has spread his footprint on your network and they’ve established a stronghold, he can then transition into the “Action on Objectives” Phase. On thi phase, the attackers can then will execute their primary objectives.

Concealment

Final step of the attack. This will help the threat actor prolong unauthorized access to the system, which can be done by hiding tracks, erasing log files, or hiding any evidence.

Malware Delivery

Common Deployment Techniques

Common techniques to deploy malicious code:

• Code Injection
  • Inserts malicious code into a legitimate process’s address space to execute under its context.
• DLL Sideloading
  • Loads a malicious DLL by placing it in a directory where a legitimate application will mistakenly load it.
• DLL Injection
  • Forces a running process to load a malicious DLL, enabling the attacker to control the process.
• Masquerading
  • Disguises malicious files or processes as legitimate ones to avoid detection.
• Process Hollowing
  • Replaces the code of a legitimate process with malicious code while the process is running, allowing the attacker to execute their code under the guise of the legitimate process.

Living off the Land

A strategy adopted by many Advanced Persistent Threats (APTs) and criminal organizations.

• Threat actors exploit standard system tools to perform intrusions.
• Example: manipulating powershell to conduct malicious activities.