Content
Various types of malware exhibit different behaviors on target devices. By understanding these behaviors, it becomes easier to identify a range of malicious files.
Downloader
- Primarily downloads and executes additional malware on the local system.
- Commonly uses URLDownloadtoFileA to download files followed by WinExec to execute them.
Launcher
- Contains the malware payload, installing it for immediate or covert future execution.
Backdoor
- Provides attackers with remote access to a victim’s machine over the internet, often on port 80 using HTTP.
- Common functions include registry manipulation, file searching, directory creation, and window enumeration.
Reverse Shell
- Grants shell access to attackers, enabling command execution on the infected machine as if locally accessed.
Windows Reverse Shell
- Basic: Uses CreateProcess and STARTUPINFO to establish a connection to a remote server via a created socket, linking it to standard streams for cmd.exe, with the window suppressed for stealth.
- Multithreaded: Involves creating a socket, two pipes, and two threads, often identified by CreateThread and CreatePipe functions.
Remote Administration Tool
- Allows remote control of infected machines for tasks such as data theft or lateral movement within a network.
- Typically communicates over common ports like 80 and 443.
Botnet
- A network of compromised hosts, or “zombies,” controlled by a central server (botnet controller).
- Commonly used for spreading malware, sending spam, or conducting distributed DDoS attacks.
Credential Stealers
- Designed to steal user credentials, commonly through three techniques:
- GINA Interception :
- Graphical Identification and Authentication (GINA) system was intended to allow legitimate third parties to customize the logon process by adding support for things like authentication with hardware radio-frequency identification(RFID) tokens or smart card.
- GINA is implemented in a DLL, msgina.dll, and is loaded by the Winlogon executable during the login process.
- Winlogon also works for third-party customizations implemented in DLLs by loading them in between Winlogon and the GINA DLL(like a man-in-the-middle attack).
- Windows Conveniently provides the following registry location where third-party DLLs will be found and loaded by Winlogon: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL.
- The malicious DLL must export all thee functions required by GINA, most of which are prepended with Wlx. - Hash Dumping :
- Attackers try to Dump Windows hashes in order to crack them offline or to use them in pass-the-hash attack.
- Pwdump and Pass-the-Hash(PSH) Toolkit are freely available packages that provide hash dumping.
- Intresting imports resolved from samsrv.dll in pwdump variants are SamIConnect, SamQueryInformationUser, and SamIGETPrivateData. - Keystroke Logging :
- User-space keyloggers are typically implemented with either hooking or polling.
- Common API functions are setWindowsHookEx, GetForeGroundWindow, GetAsyncKeyState.
- Some key namesas strings in binary are also indicator of being a keylogger.
- GINA Interception :
For a deeper dive, refer to Chapter 11 of the book “Practical Malware Analysis.”