Register to stream ATT&CKcon 2.0 October 29-30

Process Injection

Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Windows

There are multiple approaches to injecting code into a live process. Windows implementations include: [1]

  • Dynamic-link library (DLL) injection involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
  • Portable executable injection involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. [2]
  • Thread execution hijacking involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
  • Asynchronous Procedure Call (APC) injection involves attaching malicious code to the APC Queue [3] of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. [4] AtomBombing [5] is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. [6]
  • Thread Local Storage (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. [7]

Mac and Linux

Implementations for Linux and OS X/macOS systems include: [8] [9]

  • LD_PRELOAD, LD_LIBRARY_PATH (Linux), DYLD_INSERT_LIBRARIES (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. [10]
  • Ptrace system calls can be used to attach to a running process and modify it in runtime. [9]
  • /proc/[pid]/mem provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. [9]
  • VDSO hijacking performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. [11]

Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

ID: T1055
Tactic: Defense Evasion, Privilege Escalation
Platform: Linux, macOS, Windows
Permissions Required: User, Administrator, SYSTEM, root
Effective Permissions: User, Administrator, SYSTEM, root
Data Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Process monitoring, Named Pipes
Defense Bypassed: Process whitelisting, Anti-virus
CAPEC ID: CAPEC-242
Contributors: Anastasios Pingios; Christiaan Beek, @ChristiaanBeek; Ryan Becwar
Version: 1.0

Procedure Examples

Name Description
APT37 APT37 injects its malware variant, ROKRAT, into the cmd.exe process. [80]
AuditCred AuditCred can inject code from files to other running processes. [60]
Backdoor.Oldrea Backdoor.Oldrea injects itself into explorer.exe. [35]
BlackEnergy BlackEnergy injects its DLL component into svchost.exe. [21]
Carbanak Carbanak downloads an executable and injects it directly into a new process. [54]
Carbon Carbon has a command to inject code into a process. [52]
Cardinal RAT Cardinal RAT injects into a newly spawned process created from a native Windows executable. [31]
Cobalt Group Cobalt Group has injected code into trusted processes. [79]
Cobalt Strike Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary. [16]
Denis Denis injects its payload into Windows host processes. [61]
Derusbi Derusbi injects itself into the secure shell (SSH) process. [34]
Duqu Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host). [49]
Dyre Dyre injects into other processes to load modules. [25]
Elise Elise injects DLL files into iexplore.exe. [38] [39]
Emissary Emissary injects its DLL file into a newly spawned Internet Explorer process. [48]
Emotet Emotet has been observed injecting in to Explorer.exe and other processes. [62] [63] [64]
Empire Empire contains multiple modules for injecting into processes, such as Invoke-PSInject. [18]
FinFisher FinFisher injects itself into various processes depending on whether it is low integrity or high integrity. [36] [37]
Gazer Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. Gazer performs a separate injection of its communication module into an Internet accessible process through which it performs C2. [32] [33]
Gorgon Group Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process. [72]
GreyEnergy GreyEnergy has a module to inject a PE binary into a remote process. [43]
HiddenWasp HiddenWasp adds itself to the LD_PRELOAD path and sets a series of environment variables. [70]
HIDEDRV HIDEDRV injects a DLL for Downdelph into the explorer.exe process. [46]
Honeybee Honeybee uses a batch file to load a DLL into the svchost.exe process. [82]
HOPLIGHT HOPLIGHT has injected into running processes. [65]
HTRAN HTRAN can inject into into running processes. [20]
HyperBro HyperBro can run shellcode it injects into a newly created process. [71]
JHUHUGIT JHUHUGIT performs code injection injecting its own functions to browser processes. [28] [29]
JPIN JPIN can inject content into lsass.exe to load a module. [22]
Kazuar If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes. [30]
Koadic Koadic can perform process injection by using a reflective DLL. [14]
Lazarus Group A Lazarus Group malware sample performs reflective DLL injection. [73]
Matroyshka Matroyshka uses reflective DLL injection to inject the malicious library and execute the RAT. [59]
NavRAT NavRAT copies itself into a running Internet Explorer process to evade detection. [55]
PLATINUM PLATINUM has used various methods of process injection including hot patching. [22]
PoisonIvy PoisonIvy can inject a malicious DLL into a process. [23] [24]
PoshC2 PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject. [19]
PowerSploit PowerSploit contains a collection of CodeExecution modules that enable by injecting code (DLL, shellcode) or reflectively loading a Windows PE file into a process. [12] [13]
Pupy Pupy can migrate into another process using reflective DLL injection. [15]
Putter Panda An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe). [83]
RARSTONE After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system. [26]
RATANKBA RATANKBA performs a reflective DLL injection using a given pid. [40] [41]
Remcos Remcos has a command to hide itself through injecting into another process. [17]
Remsec Remsec can perform DLL injection. [42]
Smoke Loader Smoke Loader injects into the Internet Explorer process. [53]
Socksbot Socksbot creates a suspended svchost process and injects its DLL into it. [45]
StoneDrill StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser. [66]
Sykipot Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe. [27]
Taidoor Taidoor can perform DLL loading. [51]
Threat Group-3390 A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process. [77] [78]
TrickBot TrickBot injects into the svchost.exe process. [56] [57] [58]
Tropic Trooper Tropic Trooper has injected a DLL backdoor into a file dllhost.exe. [81]
Turla Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges. Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system. [74] [75] [76]
TURNEDUP TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an "Early Bird injection." [4]
Ursnif Ursnif has injected code into target processes via thread local storage callbacks. [67] [68] [69]
Wiarp Wiarp creates a backdoor through which remote attackers can inject files into running processes. [50]
Wingbird Wingbird performs multiple process injections to hijack system processes and execute malicious code. [44]
Zeus Panda Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process. [47]

Mitigations

Mitigation Description
Behavior Prevention on Endpoint Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
Privileged Account Management >Linux

Utilize Yama to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppAmour.

Detection

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. [1]

Monitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. [84] [85] [86] [87]

Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. [88]

Monitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, [89] so additional PowerShell monitoring may be required to cover known implementations of this behavior.

References

  1. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  2. Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.
  3. Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.
  4. Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
  5. Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.
  6. Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.
  7. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.
  8. Turner-Trauring, I. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.
  9. skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.
  10. halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.
  11. O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved December 20, 2017.
  12. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  13. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  14. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  15. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  16. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  17. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  18. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  19. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  20. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  21. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  22. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  23. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  24. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  25. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  26. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  27. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
  28. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  29. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  30. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  31. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  32. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  33. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  34. Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
  35. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  36. FinFisher. (n.d.). Retrieved December 20, 2017.
  37. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  38. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  39. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  40. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  41. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  42. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  43. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  44. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  45. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  1. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  2. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  3. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  4. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  5. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  6. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  7. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  8. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  9. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  10. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  11. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  12. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  13. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  14. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  15. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  16. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  17. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  18. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  19. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  20. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  21. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  22. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  23. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  24. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  25. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  26. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  27. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  28. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  29. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  30. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  31. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  32. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  33. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  34. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  35. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  36. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  37. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  38. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  39. Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.
  40. GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.
  41. Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.
  42. stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.
  43. Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.
  44. PowerSploit. (n.d.). Retrieved December 4, 2014.