Breaking Windows with your ARM

Presented at BSidesLV 2023, Aug. 8, 2023, 5 p.m. (45 minutes).

Our research aims to shed light on the current state of Windows on ARM (WoA) rootkits. Although we have yet to find Windows malware targeting the ARM (or ARM64 aka AARCH64) architecture, and more specifically rootkits are yet to be discovered for this platform, we know that the arms race has begun and its only a matter of time until a rootkit for WoA will emerge. In our research we looked for ways to implement a rootkit using known mechanisms such as different hooking techniques and callback functions and developed a tool to detect rootkit infections on the WoA platform by looking for in-consistencies in critical kernel structures. ARM64 architecture provides mobile devices with better battery life while maintaining great performance, and we believe that the future of mobile devices running Windows is in ARM. As WoA gains popularity among users, including those using Apple Silicon devices, it is essential to prepare for the inevitable emergence of rootkits. Using our tool we hope to lay the groundwork for IR and malware analysts that would have to reverse engineer the malware of the future.

Presenters:

  • Rotem Salinas
    Rotem is a Senior Security Researcher in CyberArk Labs' Malware Research Team. His work focuses on hunting and Reverse Engineering cutting edge malware samples such as rootkits, APTs, banking-trojans, infostealers, client-side exploits and other threats. He previously presented is conferences such as RSA Conference, and Digital Crimes Consortium.

Links:

Similar Presentations: