D-Client for Windows: Remote Code Injection Protection
Remote Code Injection is a strong attack vector used by adversaries and malware. In a previous blog where we explained how fileless attacks take place, in this blog we specifically address remote code injection. The attack vector leverages specific mechanisms and flows implemented by design on the operating system. The main goal is to inject malicious code into different processes.
The main motivation to implement such a technique is to evade detection by various security products.
Usually, security products that are only focused on files, might not detect other attack surfaces such as fileless techniques. Remote Code Injection is considered a fileless technique, where the malicious code is executed without hosting it in a file that sits on a disk. Instead, the malicious code can be executed directly from a network, or even from an encrypted payload that sits on the disk (which is also not subject to file scanning by security software).
To further help avoid detection, attackers usually inject their malicious code within legitimate processes, such as explorer.exe. Cyber security products tend not to scan such processes in the concern that it might cause false positives, or crash legitimate software. As a result, malicious attacks coming from such legitimate processes are often missed.
This technique can also bypass SOC teams and threat hunters who might be monitoring suspicious processes. Injecting malicious code into a legitimate process, effectively enables attackers to pass under the radar, and increase the chances of successfully running a malicious attack.
It is also being used by banking trojans to perform Man-in-the-Browser attacks. By manipulating the content of websites, particularly those within the financial sector, attackers can mislead the victim to perform transactions using the user's own name and credentials.
Finally, adversaries might use this technique to take advantage of process’ privileges, for example, to access a specific source of data.
Over the last two decades, various techniques have been presented by security researchers using Windows, were they implemented in malicious campaigns. Some of the most evasive ransomware campaigns, such as WannaCry and Ryuk used such techniques to successfully evade detection.
A list of some of the most devastating Remote Code Injection techniques:
Process Hollowing: A legitimate process is executed in a suspended state, and the original code is replaced with malicious code. This technique can also be accomplished by patching the entry point, or by patching the context of the suspended process. Examples of malicious campaigns using this technique include Duqu and Cobalt Strike.
CreateRemoteThread: A malicious code is executed as a thread created in a remote process.
LoadLibrary: A DLL is loaded into a remote process and one of its malicious functions is called.
SetWindowLong: A window handler is patched to execute malicious code.
Asynchronous Procedure Call: This is similar to the CreateRemoteThread technique, where malicious code is executed as a threat created in a remote process using APC.
Setting a Thread Context: The context of a thread is changed, which results in the execution of malicious code.
IAT Hooking: A function from the Import Address Table (IAT) is hooked to execute malicious code.
AtomBombing: The Windows Atom table is exploited to write malicious code into a remote process and then executes the malicious code. An example of a malicious campaign using this technique include the Dridex Banking Trojan.
PROPagate: This is similar to the SetWindowsLong technique, where a window callback handler is patched to execute malicious code. An example of a malicious campaign includes RIG EK.
Early Bird: A variation of the APC technique, but with added functionality to bypass detection from security solutions. An example of a malicious campaign using this technique includes APT33.
All these Remote Code Injection techniques are now covered by Deep Instinct’s Windows endpoint agent, where they can be detected or prevented by tuning the policy configuration.
To learn more about the anatomy of fileless attacks, and get an in-depth understanding of the challenges and solutions involved, download this free whitepaper: