Malware Attack Techniques
(OBJ 2.4)
Malware Exploitation Technique
- Specific method by which malware code penetrates and infects a targeted system
Malware focuses
- Some malware focuses on infecting the system’s memory to leverage remote procedure calls over the organization’s network
- Most modern malware uses fileless techniques to avoid detection by signature-based security software
- Bypass detection from from signature-based security systems like anti-virus and anti-malware solutions by directly executing the malicious code as a script or as a small piece of shell code.
- Fileless Malware is used to create a process in the system memory without relying on the local file system of the infected host
- Harder to detect because it leaves behind very few traces or indicators of compromise in comparison to standard pieces of file-based malware.
- Little evidence being left behind
- Most modern malware uses fileless techniques to avoid detection by signature-based security software
How does this modern malware work?
- When a user accidentally clicks on a malicious link or opens a malicious file, the specific type of malware being installed is known as a stage one dropper or downloader
- Stage 1 Dropper or Downloader
- Piece of malware that is usually created as a lightweight shellcode that can be executed on a given system
- The primary function of a stage one dropper or downloader is to retrieve additional portions of the malware code and to trick the user into activating it
- Dropper
- Specific malware type designed to initiate or run other malware forms within a payload on an infected host
- Downloader
- Retrieve additional tools post the initial infection facilitated by a dropper
- Shellcode
- Broader term that encompasses lightweight code meant to execute an exploit on a given target
- Stage 2: Downloader
- Downloads and installs a Remote Access Trojan to conduct command and control on the victimized system
- “Actions on Objectives” Phase
- Threat actors will execute primary objectives to meet core objectives like
- data exfiltration
- file encryption
- Threat actors will execute primary objectives to meet core objectives like
- Concealment
- Used to help the threat actor prolong unauthorized access to a system by
- hiding tracks
- erasing log files
- hiding any evidence of malicious activity
- “Living off the Land”
- A strategy adopted by many Advanced Persistent Threats and criminal organizations
- the threat actors try to exploit the standard tools to perform intrusions
- Example: PowerShell is installed by default!
- Used to help the threat actor prolong unauthorized access to a system by
- Stage 1 Dropper or Downloader
How is malware delivered to systems?
- Malware is delivered to a system using many different techniques including
- Code injection
- Running malicious code with the identification of a legitimate process.
- Masqurading
- DLL injection
- DLL sideloading
- Process hollowing
- Code injection
- These carious malware deployment methods can also be combined with anti-forensic strategies like encryption, compression and obfuscation to make it more challenging for cyber defense professionals to detect and analyze these malicious threats.