Connect with us

Hi, what are you looking for?


Endpoint Security

Windows 10 Boosts Protections Against Code Injection Attacks

Enhancements in Windows 10 Creators Update include improvements in Windows Defender Advanced Threat Protection (Windows Defender ATP) to keep users protected from threats such as Kovter and Dridex Trojans, Microsoft says.

Enhancements in Windows 10 Creators Update include improvements in Windows Defender Advanced Threat Protection (Windows Defender ATP) to keep users protected from threats such as Kovter and Dridex Trojans, Microsoft says.

Specifically, Windows Defender ATP in Creators Update can detect code injection techniques associated with these threats, such as process hollowing and atom bombing. Already used by various other threats, these methods enable malware to infect computers and engage into various nefarious activities while remaining stealthly.

Process hollowing is a technique where a threat spawns a new instance of a legitimate process, after which it replaces the legitimate code with that of the malware. While other injection techniques add a malicious feature to a legitimate process, hollowing results in a process that looks legitimate but is primarily malicious.

There are various threats using process hollowing, with Kovter, a four-year old click-fraud Trojan that adopted a fileless infection model last year and which was recently associated with ransomware such as Locky, being the most popular. In November last year, Kovter was found responsible for a massive spike in new malware variants. 

Delivered mainly through phishing emails, Kovter hides most of its malicious components via registry keys, then uses native applications to execute the code and perform injection. For persistence, it adds shortcuts (.lnk files) to the startup folder or new keys to the registry.

The malware adds two registry entries to have its component file opened by the legitimate program mshta.exe. The component extracts an obfuscated payload from a third registry key and a PowerShell script is used to execute another script that injects shellcode into a target process. Through this shellcode, Kovter uses process hollowing to inject malicious code into legitimate processes.

Atom bombing is a rather new code injection method, based on a Windows vulnerability that can’t be patched, and which can be used by an attacker who has already compromised the targeted machine. The technique relies on malware writing malicious code to the global atom table and using asynchronous procedure calls (APC) to retrieve the code and insert it into the memory of the target process.

Advertisement. Scroll to continue reading.

Dridex, a threat first spotted in 2014, was anearly adopter of atom bombing. Mainly distributed via spam emails, Dridex was designed to steal banking credentials and sensitive information, as well as to disable security products and provide attackers with remote access to victim computers. The threat remains stealthy and persistent through avoiding common API calls associated with code injection techniques.

When executed on the victim’s system, the malware looks for a target process and ensures user32.dll is loaded by this process, as it needs the DLL to access the required atom table functions. Next, the malware writes its shellcode to the global atom table, then adds NtQueueApcThread calls for GlobalGetAtomNameW to the APC queue of the target process thread to force it to copy the malicious code into memory.

“Kovter and Dridex are examples of prominent malware families that evolved to evade detection using code injection techniques. Inevitably, process hollowing, atom bombing, and other advanced techniques will be used by existing and new malware families,” John Lundgren, Windows Defender ATP Research Team, explains.

Windows Defender ATP Creators Update, he adds, includes function calls and statistical models that can detect various malicious injection techniques and better expose covert attacks. According to Lundgren, Microsoft has already tested these capabilities against real-world examples of malware families employing process hollowing and atom bombing, among other methods.

Related: Microsoft to Make EMET Native to Windows 10

Related: Windows 10 Option to Block Installation of Win32 Apps

Related: Windows 10 Blocks Zero-Days Before Patches Arrive: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...