T1620 Reflective Code Loading
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).82713
Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.7164
Item | Value |
---|---|
ID | T1620 |
Sub-techniques | |
Tactics | TA0005 |
Platforms | Linux, Windows, macOS |
Version | 1.0 |
Created | 05 October 2021 |
Last Modified | 21 April 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S1063 | Brute Ratel C4 | Brute Ratel C4 has used reflective loading to execute malicious DLLs.12 |
S0154 | Cobalt Strike | Cobalt Strike‘s execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR.20 |
S0625 | Cuba | Cuba loaded the payload into memory using PowerShell.17 |
S0695 | Donut | Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.9 |
S0661 | FoggyWeb | FoggyWeb‘s loader has reflectively loaded .NET-based assembly/payloads into memory.14 |
S0666 | Gelsemium | Gelsemium can use custom shellcode to map embedded DLLs into memory.18 |
S1022 | IceApple | IceApple can use reflective code loading to load .NET assemblies into MSExchangeOWAAppPool on targeted Exchange servers.13 |
G0032 | Lazarus Group | Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.2223 |
S0447 | Lokibot | Lokibot has reflectively loaded the decoded DLL into memory.15 |
S1059 | metaMain | metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.19 |
S0194 | PowerSploit | PowerSploit reflectively loads a Windows PE file into a process.1011 |
S0595 | ThiefQuest | ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.21 |
S0689 | WhisperGate | WhisperGate‘s downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.16 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0011 | Module | Module Load |
DS0009 | Process | OS API Execution |
DS0012 | Script | Script Execution |
References
-
0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021. ↩↩
-
Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021. ↩
-
Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021. ↩
-
Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021. ↩
-
MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021. ↩
-
Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021. ↩
-
Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021. ↩↩
-
The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. ↩
-
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. ↩
-
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. ↩
-
Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023. ↩
-
CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. ↩
-
Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. ↩
-
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. ↩
-
Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023. ↩
-
Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. ↩
-
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. ↩
-
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. ↩
-
Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. ↩
-
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. ↩