Common Malware Injection Techniques Explained

REVERSE ENGINEERING: LUMMA STEALER INFECTION ℹ️ Researchers analyzed a recent Lumma information stealer infection observed between February and March 2025. Lumma is a C++‑based infostealer sold as Malware‑as‑a‑Service (MaaS), widely used by cybercriminals to harvest credentials, browser data, and cryptocurrency wallet information. This particular sample featured a .NET/C# loader, sophisticated packing and obfuscation, and multiple staged payloads, showcasing how the threat continues to evolve. 📍 BACKGROUND ■ Information stealers like Lumma are key enablers in the modern cybercrime ecosystem, often supporting Initial Access Brokers (IABs) who sell access to compromised systems for use in ransomware or other intrusions. ■ Lumma has gained notoriety for its persistence, wide user base, and active distribution through Telegram channels, leveraging packing techniques to remain fully undetectable (FUD) and evade antivirus solutions. 📍 INFECTION CHAIN ■ The analyzed sample followed a multi‑stage infection chain: 👾 Stage 1 (.NET Loader): Checks file headers, unpacks an embedded section, and executes code in memory using CallWindowProcA. 🦠 Stage 2 (Shellcode & Loader Logic): Performs remote process injection into a suspended process, mapping the unpacked payload and resolving critical APIs like LoadLibraryA and GetProcAddress. ☣️ Stage 3 (Lumma Payload): The fully unpacked stealer initializes network communication via WinHTTP, decrypts C2 domains with ChaCha20, and begins data exfiltration. 📍 EVASION AND TECHNIQUES ■ Lumma employs packing, control‑flow flattening, Heaven’s Gate (switching between 32‑bit and 64‑bit execution), and dynamic API resolution to avoid detection and complicate reverse engineering. ■ It also performs environment checks, such as verifying file integrity and detecting Russian locale systems, before executing its full payload. 📍 C2 COMMUNICATION AND CAPABILITIES ■ The malware communicates with its C2 servers via HTTPS, sending initial POST requests with “act=life” and later exfiltrating stolen data. ■ Its capabilities include browser credential theft, Telegram account hijacking, crypto wallet manipulation, keylogging, and potential remote code execution. HUNTING AND MITIGATION ■ Researchers provided Sigma and YARA rules to aid detection, including hunting for unusual connections to TLDs like .top, .xyz, and steamcommunity[.]com, as well as initial POST traffic patterns. ■ For organizations, credential resets, 2FA adoption, phishing awareness, and restricting LOLBins like powershell[.]exe can reduce exposure to similar infostealer threats. Reference: 🔗 https://lnkd.in/drXjnNua #reverseengineering #malwareanalysis #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

During recent memory forensics research I've been doing on evading memory scanners, I was researching how to bypass Volatility's 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 plugin, and I developed a reflective PE loader for that. 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 searches for memory regions where the VAD (Virtual Address Descriptor) shows both 𝗪𝗥𝗜𝗧𝗘 and 𝗘𝗫𝗘𝗖𝗨𝗧𝗘 permissions, since legitimate applications rarely allocate 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 memory. This makes 𝗪+𝗫 a strong indicator of shellcode injection. But since VADs store the initial allocation protection set by 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗔𝗹𝗹𝗼𝗰, when 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 changes page permissions, only the underlying page table entries (PTEs) permissions are modified, while the VAD's 𝗔𝗹𝗹𝗼𝗰𝗮𝘁𝗶𝗼𝗻𝗣𝗿𝗼𝘁𝗲𝗰𝘁 field remains as originally set. To demonstrate this, I wrote a reflective loader that: 1. Allocates memory with 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (VAD records: RW) 2. Writes the PE image, resolves imports, applies relocations 3. Calls 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 to set 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗 on the .𝘁𝗲𝘅𝘁 section The VAD still shows 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (no execute), so 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 doesn't flag it. The code executes normally because the CPU uses the actual page permissions from the PTEs, not the VAD. This shows that in an investigation, relying on a single tool can lead to missed evidence and wrong conclusions. To detect this technique, dump private VAD regions (e.g., using Volatility's 𝘃𝗮𝗱𝗶𝗻𝗳𝗼 plugin with --𝗱𝘂𝗺𝗽) and scan for PE headers (𝗠𝗭/𝟬𝘅𝟰𝗗𝟱𝗔), which reveals injected code that 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 misses. However, this approach requires filtering out legitimate PEs (e.g., Windows system DLLs), and this might take some time. In a follow-up post, I'll share a detection method I developed that reliably identifies reflectively loaded PEs regardless of VAD permissions. 𝗚𝗶𝘁𝗛𝘂𝗯: https://lnkd.in/dUFiGp8z #DFIR #IncidentResponse #MalwareAnalysis #CyberSecurity #MemoryForensics #Volatility

Hackers have found a way to bypass Windows Defender Application Control (WDAC) policies using a legitimate Microsoft debugging tool, WinDbg Preview, available via the Microsoft Store. This technique allows attackers to inject arbitrary shellcode into a target process, evading detection as it does not rely on traditional executables or DLLs. Key Points: - WinDbg Preview from the Microsoft Store is exploited to inject malicious code. - Attackers leverage WinDbg scripting for remote code execution without typical detection methods. - Windows API functions like OpenProcess and WriteProcessMemory are manipulated for the exploit. Mitigation Steps: 1. Update WDAC blocklists to explicitly include WinDbg Preview (WinDbgX.exe). 2. Disable the Microsoft Store on unnecessary endpoints to limit access. 3. Monitor the usage of debugging tools, especially for processes involving injection techniques, to enhance security measures.

Process hollowing involves creating a process in a suspended state, unmapping its memory (e.g., via ZwUnmapViewOfSection), and replacing it with malicious code. APIs like CreateProcess start the process, while VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread inject and execute the malicious payload. Malware Leveraging Process Hollowing: • Agent Tesla (S0331) Uses process hollowing to manipulate memory sections and inject malicious code. • Astaroth (S0373) Creates a suspended process of a legitimate target, unmaps its memory, and replaces it with malicious code. • Azorult (S0344) Decrypts its payload, injects it into a new suspended process, and resumes execution. • BADNEWS (S0128) Downloads executables and injects them into new processes using process hollowing. • Bandook (S0234) Launches iexplore.exe and replaces its memory with Bandook’s payload. • Bazar (S0534) Injects malicious code into processes like svchost, explorer.exe, and cmd.exe. • BBSRAT (S0127) Injects itself into msiexec.exe via process hollowing to evade detection. • Clambling (S0660) Executes binaries using process hollowing techniques. • Cobalt Strike (S0154) Employs process hollowing for malicious code execution. • DarkGate (S1111) Decrypts and injects payloads into processes like vbc.exe to evade detection. #Malware #Cybersecurity #ProcessHollowing #AgentTesla #Astaroth #Azorult #BADNEWS #Bandook #Bazar #BBSRAT #Clambling #CobaltStrike #DarkGate #ThreatDetection #MalwareAnalysis