T1027.007 Dynamic API Resolution
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.14
To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution).231
| Item | Value |
|---|---|
| ID | T1027.007 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011 |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 1.0 |
| Created | 22 August 2022 |
| Last Modified | 23 August 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1053 | AvosLocker | AvosLocker has used obfuscated API calls that are retrieved by their checksums.9 |
| S0534 | Bazar | Bazar can hash then resolve API calls at runtime.78 |
| S1063 | Brute Ratel C4 | Brute Ratel C4 can call and dynamically resolve hashed APIs.5 |
| G0032 | Lazarus Group | Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.10 |
| S0147 | Pteranodon | Pteranodon can use a dynamic Windows hashing algorithm to map API components.6 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Metadata |
| DS0011 | Module | Module Load |
| DS0009 | Process | OS API Execution |
References
-
Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022. ↩↩
-
Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022. ↩
-
drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022. ↩
-
spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022. ↩
-
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. ↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩
-
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. ↩
-
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. ↩
-
Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. ↩
-
Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. ↩
-
Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022. ↩