According to a blog article published by security researcher’s based at Cisco Talos, a new malware loader has been seen in the wild specifically designed to hide in plain sight and allow the payload to evade detection by anti-malware solutions by injecting into the memory of compromised computers before the payload is dropped. This discovery represents the danger posed by hackers who create custom loaders to deliver a wide range of malware strains to suit their purposes. The loader is known to exploit the infamous “Heaven’s Gate” technique to avoid detection.
The Heaven’s Gate technique was first seen in 2009 allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. This effectively helps the loader evade detection as many anti-virus products struggle to detect such techniques. To further evade detection the loader further hides the payload within the packed and obfuscated loader which will unpack it and inject it a legitimate RegAsm.exe process using the process-hollowing technique. Process-hollowing involves the creating of a process on a machine which runs in a suspended state, which means it is not mapped on the machine’s memory further making it difficult for anti-virus packages to detect something is wrong. The technique is similar to process injection, in that execution of the malicious code is masked under a legitimate process to evade detection. In this instance the RegAsm.exe will be created by the malware loader in a suspended state and, subsequently, its memory will be unmapped and replaced with the malicious payload. This means that the payload is never written to the compromised machine's disk making it that much harder for the computer's defences to react to the intrusion.
As if this not enough, the loader employs even more evasion tactics to evade detection. Some of the code is further obfuscated beyond exploiting the Heaven’s Gate technique. On 32-bit systems, the loader makes use of syscalls. In the wild this the malicious code is capable of shifting between 32- and 64-bit systems causing some debuggers and anti-malware software to completely miss “…these calls as far as they are not expecting a 32-bit application running under the Microsoft WOW64 technology on a 64-bit system to use 64-bit calls directly.”
The loader is spread through the use of a spam email campaign, of which the emails have been seen to actively exploit CVE-2017-11882. This vulnerability when successfully exploited allows for Microsoft Office products to improperly handle objects in memory allowing for the hacker to run malicious code. If the user has admin rights the hacker could take control of the affected computer, install programs, view, change, or delete data, or create new accounts with full user rights. In order to properly exploit the vulnerability and help ensure an infection, the spam email has Microsoft Word and Excel documents which appear to be a variety of invoices and bank statements which will download the loader from attacker-controlled servers after being opened. According to researchers, the campaign is still ongoing.
The malware loader drops a varied payload in terms of malware strains from a keylogger, to a remote access trojan, and a number of crypto miners designed to mine Monero. The first piece of malware of note in the HawkEye Reborn keylogger which is currently already on its ninth version. The main aim of the malware, like all keyloggers, is to log user keystrokes in order to steal account credentials or other similar information. HawkEye Reborn has been seen in the past targeting businesses in order to take over vital business accounts and computers. Often the image stolen from businesses included business contacts, affiliates, and partners to launch scams. Latter scams employed this information to hijack transactions by providing alternative payment details, routing the payments straight to fraudulent accounts set up by the operators.
Another piece of malware dropped by the loader is the infamous Remcos remote access trojan. The tool is available for anyone who purchases it and is marketed as a legitimate tool by its developers who forbid the misuse of it. Cybercriminals, however, are not known for following instructions amounting to legal use and use the tool to further their malicious goals. The remote access Trojan, commonly referred to as a RAT, has been used in the past to execute malware with high system privileges. In an article published by security firm Fortinet, Remcos is used to further execute other malware variants. Fortinet concluded that,
“This article proves once again that one does not have to be an expert to launch fairly sophisticated malware attacks. More and more applications like Remcos are being released publicly, luring new perpetrators with their easy usage. And all it takes to be infected by one are a few clicks. As for many RAT authors, the developer discourages malicious usage of the tool through a license ban if reported. This is most cases is nothing but a false shield to guard them liability when the thin veil of its being an administration tool is removed and it is exposed as a full-blown malware builder.”
The use of the loader is a reminder that hackers can successfully fly under the radar to deploy low-level and known malware in an effective way. Without the loader, anti-virus suites would pick up the malware dropped by the loader with ease and deal with them. However, the clever use of evasion techniques used by the loader will stretch the capabilities of such software packages. Further, researchers concluded that,
“The adversaries, in this case, used sophisticated loaders that leverage several different low-level operating system techniques to make it as hard as possible for antivirus programs to detect the malware. By using these loaders, they can quickly and easily change the final malware or in other words the payload of the loader.”