Enhancements in Windows 10 Creators Update include improvements in Windows Defender Advanced Threat Protection (Windows Defender ATP) to keep users protected from threats such as Kovter and Dridex Trojans, Microsoft says.
Specifically, Windows Defender ATP in Creators Update can detect code injection techniques associated with these threats, such as process hollowing and atom bombing. Already used by various other threats, these methods enable malware to infect computers and engage into various nefarious activities while remaining stealthly.
Process hollowing is a technique where a threat spawns a new instance of a legitimate process, after which it replaces the legitimate code with that of the malware. While other injection techniques add a malicious feature to a legitimate process, hollowing results in a process that looks legitimate but is primarily malicious.
There are various threats using process hollowing, with Kovter, a four-year old click-fraud Trojan that adopted a fileless infection model last year and which was recently associated with ransomware such as Locky, being the most popular. In November last year, Kovter was found responsible for a massive spike in new malware variants.
Delivered mainly through phishing emails, Kovter hides most of its malicious components via registry keys, then uses native applications to execute the code and perform injection. For persistence, it adds shortcuts (.lnk files) to the startup folder or new keys to the registry.
The malware adds two registry entries to have its component file opened by the legitimate program mshta.exe. The component extracts an obfuscated payload from a third registry key and a PowerShell script is used to execute another script that injects shellcode into a target process. Through this shellcode, Kovter uses process hollowing to inject malicious code into legitimate processes.
Atom bombing is a rather new code injection method, based on a Windows vulnerability that can’t be patched, and which can be used by an attacker who has already compromised the targeted machine. The technique relies on malware writing malicious code to the global atom table and using asynchronous procedure calls (APC) to retrieve the code and insert it into the memory of the target process.
Dridex, a threat first spotted in 2014, was anearly adopter of atom bombing. Mainly distributed via spam emails, Dridex was designed to steal banking credentials and sensitive information, as well as to disable security products and provide attackers with remote access to victim computers. The threat remains stealthy and persistent through avoiding common API calls associated with code injection techniques.
When executed on the victim’s system, the malware looks for a target process and ensures user32.dll is loaded by this process, as it needs the DLL to access the required atom table functions. Next, the malware writes its shellcode to the global atom table, then adds NtQueueApcThread calls for GlobalGetAtomNameW to the APC queue of the target process thread to force it to copy the malicious code into memory.
“Kovter and Dridex are examples of prominent malware families that evolved to evade detection using code injection techniques. Inevitably, process hollowing, atom bombing, and other advanced techniques will be used by existing and new malware families,” John Lundgren, Windows Defender ATP Research Team, explains.
Windows Defender ATP Creators Update, he adds, includes function calls and statistical models that can detect various malicious injection techniques and better expose covert attacks. According to Lundgren, Microsoft has already tested these capabilities against real-world examples of malware families employing process hollowing and atom bombing, among other methods.