New Memory Forensics Techniques to Defeat Device Monitoring Malware

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes)

Malware that is capable of monitoring hardware devices poses a significant threat to the privacy and security of users and organizations. Common capabilities of such malware include keystroke logging, clipboard monitoring, sampling of microphone audio, and recording of web camera footage. All modern operating systems implement APIs that provide hardware access to processes and all have been abused to monitor the activity of journalists and dissidents, conduct espionage operations, and gather data needed for blackmail. Existing memory forensic methods for detecting these techniques are largely confined to malware that operates within kernel space. The use of kernel rootkits has waned in recent years though as operating systems have sharply locked down access to kernel memory. These limitations placed upon kernel rootkits, along with the easy-to-use APIs in userland that allow for access to hardware devices, has led to many device monitoring malware samples that operate solely within process memory. Unfortunately, current methods for detection of such malware are severely outdated or completely lacking. These include attempts at live forensics, which relies on system APIs, but these APIs are often hooked by malware to hide their activity. Partial memory forensics techniques for Windows exist, but are outdated, and there are techniques across operating systems that have no detection support. Given the recent emphasis on memory analysis, such as in CISA directives related to ProxyLogon and SolarWindows, it is imperative that memory forensic techniques are able to properly detect modern threats.

In this presentation, we present our effort to develop algorithms capable of detecting userland device monitoring malware across all major operating systems. Our efforts led to several Volatility plugins being created that are capable of automatically locating all information about processes that are monitoring hardware devices. We plan to contribute our Volatility additions to the community during Black Hat.

Presenters:

• Andrew Case - Director of Research, Volexity
  Andrew Case is a senior incident response handler and malware analyst. He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis framework. He is a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory". He has delivered trainings in the fields of digital forensics and incident response to a number of private and public organizations as well as at industry conferences. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, RSA, SOURCE, BSides, OMFW, GFirst, and DFRWS.
• Golden Richard - Professor of Computer Science and Engineering, Louisiana State University
  Golden G. Richard III is a cybersecurity researcher and teacher and a Fellow of the American Academy of Forensic Sciences. He has over 40 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He is currently Professor of Computer Science and Engineering and Associate Director for Cybersecurity at the Center for Computation and Technology (CCT) at LSU. He also supports NSA's CAE-CO internship program, teaching memory forensics, vulnerability analysis, and other topics to cleared interns. His primary research interests are memory forensics, digital forensics, malware analysis, reverse engineering, and operating systems. Dr. Richard earned his BS in Computer Science from the University of New Orleans and MS and PhD in Computer Science from The Ohio State University. His first floppy drive cost $600 and required financing; despite that, he's still very much alive.
• Austin Sellers - Detection Engineer, Volexity
  Austin Sellers is a Detection Engineer at Volexity where he focuses on automating large scale memory analysis and threat detection techniques. He has significant experience in developing memory analysis datasets that allow for automated verification and testing of kernel and userland memory forensics techniques.
• Gustavo Moreira - Senior Security Engineer, Volexity
  Gustavo Moreira is a Senior Security Engineer at Volexity. He has significant experience in reverse engineering, incident response handling, embedded systems development and security, Windows and Linux internals, and automation of large scale malware analysis.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#new-memory-forensics-techniques-to-defeat-device-monitoring-malware-27403

Similar Presentations:

• REcon 2016 / Monitoring & controlling kernel-mode events by HyperPlatform
• DEF CON 30 (2022) / Memfini - A systemwide memory monitor interface for linux Demo
• Black Hat USA 2020 Virtual / Hiding Process Memory via Anti-Forensic Techniques