What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection

Presented at Black Hat Asia 2017, March 31, 2017, 2:15 p.m. (60 minutes)

<span>Hollow process injection is a code injection technique used by the malware authors to blend in with legitimate processes on the system and remain undetected; there are documented procedures to detect hollow process injection. This presentation focuses on undocumented hollow process injection techniques. By demonstrating the analysis (reverse engineering and forensics) of real-world malware samples, this presentation uncovers how malware authors (both APT and crimeware actors) are now using variations of hollow process injection techniques - not just to blend in but also to remain stealthy, bypass detection, confuse, divert the forensic analysis tools/techniques to create uncertainty in the minds of the security analyst.The presentation also covers how the malware can further be modified to deflect the forensic analysis tools/techniques there by creating a possible anti-forensic technique. The presentation also covers what to look for while investigating such malware attacks, when to rely on the forensic tools and when not to; from an incident response perspective, understanding such stealth techniques will help in countering and responding to such malware attacks. The presentation contains video demos of the analysis of different real world malware samples and also presents a Volatility plugin to detect such attacks.</span>

Presenters:

• Monnappa K A - Information Security Investigator, Cisco Systems
  Monnappa K A works with Cisco Systems as an Information Security Investigator focusing on threat intelligence, investigation of advanced cyber attacks, researching on cyber espionage and APT attacks. He is author of Limon sandbox (for analyzing Linux malwares) which was released at Black Hat Europe 2015. He is a core member of the cyber security research community "Cysinfo" (https://www.cysinfo.com). His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. He has presented at security conferences like Black Hat, FIRST, 4SICS-SCADA/ICS summit, DSCI and Cysinfo meetings on various topics which include memory forensics, malware analysis, rootkit analysis, and has conducted trainings at FIRST (Forum of Incident Response and Security teams) conference and 4SICS-SCADA/ICS cyber security summit. He has also authored various articles in Hakin9, eForensics, and Hack[In]sight magazines.

Links:

• https://www.blackhat.com/asia-17/briefings/schedule/#what-malware-authors-dont-want-you-to-know---evasive-hollow-process-injection-5116
• https://www.blackhat.com/asia-17/briefings/schedule/#what-malware-authors-dont-want-you-to-know---evasive-hollow-process-injection-6183
• https://www.youtube.com/watch?v=9L9I1T5QDg4

Similar Presentations:

• BSidesLV 2019 / Please inject me, a x64 code injection
• Black Hat USA 2014 / Prevalent Characteristics in Modern Malware
• Black Hat USA 2012 / A Scientific (But Non Academic) Study of How Malware Employs Anti-Debugging, Anti-Disassembly and Anti-Virtualization Technologies