Hackers are evading traditional detection applications with a new approach called Application program interface hooking. LUKE JENNINGS, Chief Research Officer for Countercept at MWR InfoSecurity, takes a look at what API hooking is and how it can be thwarted.
Traditional malware detection and forensic investigation techniques typically focus on detecting malicious native executables on disk, and performing disk forensics to uncover evidence of historical actions on a system. In response, many threat actors have shifted their offensive techniques to avoid writing to disk, staying resident only in memory. Consequently, the ability to effectively analyse live memory for evidence of compromise and to gather additional forensic evidence has become increasingly important.
Application program interface (API) hooking is one of the memory-resident techniques cyber criminals are increasingly using. The process involves intercepting function calls in order to monitor and/or change the information passing back and forth between them. There are many reasons, both legitimate and malicious, why using this might be desirable. In the case of malware, the API hooking process is commonly considered to be ‘rootkit’ functionality and is mostly used to hide evidence of its presence on the system from other processes, and to spy on sensitive data.
How are the cyber criminals using API hooking?
There are two common use cases for the malicious use of API hooking. Firstly, it can be used to spy on sensitive information and so they use it to intercept sensitive data, such as communications with the keyboard to log keystrokes including passwords that are typed by a user, or sensitive network communications before they are transmitted. This includes the ability to intercept data encrypted using protocols such as Transport Layer Security (TLS) prior to the point at which they are protected, in order to capture passwords and other sensitive data before it is transmitted.
Secondly, they modify the results returned from certain API calls in order to hide the presence of their malware. This commonly may involve file-system or registry related API calls to remove entries used by the malware, to hide its presence from other processes. Not only can cyber criminals implement API hooking in a number of ways, the technique can also be deployed across a wide range of processes on a targeted system.
Tackling malicious API hooking
One way cyber security teams can detect the hidden traces of API hooking and other similar techniques is through memory analysis frameworks such as Volatility. Volatility is an open-source framework and the de facto standard toolset for performing memory analysis techniques against raw system memory images, useful in forensic investigations and malware analysis. The Volatility framework is very valuable when performing an in-depth investigation of systems on which day-to-day compromises have been detected.
While memory analysis can be an incredibly powerful and useful technique, it does not come without its challenges. One hurdle to consider when deploying memory analysis is the labour intensity it requires. Memory analysis is a highly skilled and time-intensive technique typically performed on one image at a time. This can be very effective when performing a dedicated investigation of a serious compromise, where the systems involved are known and relatively small in number. However, the challenge arises when trying to use memory analysis at scale to detect compromises on a large enterprise network in the absence of any other evidence.
Another obstacle to be aware of when implementing memory analysis is legitimate ‘bad’ behaviour. There are plenty of examples of hooking techniques being used by malware for malicious purposes. Nevertheless, there are also many cases of these techniques being used for legitimate, above-board purposes. In particular, technologies such as data loss prevention and antivirus often target the same functions for hooking as malware does. Without the techniques and experience to quickly separate legitimate injection and hooking from malicious behaviour, a great deal of time can be wasted.
Successful attack detection and response
As a first step in dealing with techniques like this, organisations need the capability in place to easily retrieve system memory images from suspect machines to allow rapid response and aid forensic investigation. However, this can generally only be used in a reactive manner.
To perform effective attack detection and response at scale specifically with regard to these techniques, an ability to conduct memory analysis proactively at scale across an enterprise network is required, which is where toolsets continuously conducting live memory analysis and reporting on suspicious findings are required. This will enable the proactive discovery of unknown memory-resident malware without any prior knowledge or signatures.
Good Endpoint Detection and Response (EDR) software that offers live memory analysis capabilities at scale are required to proactively detect the direct use of techniques such as live memory analysis. Additionally, when gathering results at scale, approaches such as anomaly detection can help greatly by drawing a dividing line between API hooking that is common across the network, probably due to security software in use, and anomalous API hooking that seems present only in a few isolated cases. Traditional memory forensics using a tool such as Volatility can then be used in order to investigate, in detail, systems exhibiting suspicious behaviour.
Many malware families have moved to using techniques such as API hooking in a stealthy attempt to avoid traditional security solutions and achieve certain end goals, such as spying on passwords. The 2015 Verizon Data Breach Report found that “malware is part of the event chain in virtually every security incident”. It also reported that “70-90% of malware samples are unique to an organisation” and that “organisations would need access to all threat intelligence indicators in order for the information to be helpful.” Given these findings, it is obvious that having an effective technique for discovering previously unseen malware on your network is extremely important.
Overall, memory analysis can be used to uncover some, not all, of the stealth techniques used by modern malware families. However, it is an important capability to have in order to detect compromises using modern memory-resident malware.
AppDate: DStv taps Xbox, Hisense for app
DStv Now app expands, FNB gets Snapchat lens, Spotify offers data saver mode, in SEAN BACHER’s apps roundup
DStv Now for Xbox and Hisense
Usage of DStv Now, the online DStv service available free to DStv customers, is increasing rapidly with more than two million plays of live and Catch Up content per week. In addition to using DStv Now to watch TV on tablets and smartphones, an increasing number of DStv customers are also opting to use it as their primary method of getting DStv on additional TVs in the house. This is set to increase with the release of two new big-screen TV apps, one for Xbox gaming consoles (Xbox One, Xbox One S, Xbox One X) and another for Hisense smart TVs (2018 and newer models).
Expect to pay: A free download.
Platform: Any of the Xbox One range of gaming consoles and 2018 or later Hisense smart TVs.
Stockists: Visit the store linked to your Xbox console or HiSense smart TV.
Santam Safety Ideas
Start-up businesses that have a FinTech or InsurTech business venture brewing are called to enter the third annual Santam Safety Ideas competition. Safety solutions or InsurTech ventures that are ready for piloting could win up to R150 000 worth of incubation support and R200 000 in seed funding.
The Safety Ideas competition was launched two years ago in partnership with LaunchLab, Stellenbosch University’s startup incubator that facilitates valuable connections for corporates and startups sourced from the startup ecosystem and partner universities in South Africa. The previous winners are Herman Bester and Anton Swanevelder, co-founders of MyLifeLine – a wearable panic device that won the competition last year; and Ntsako Mgiba and Ntandoyenkosi Shezi, co-founders of Jonga – a cost-effective security system for low income families, which won the competition in 2017.
Entries close on 28 February 2019. For more information on how to enter, visit: www.santam.co.za/safetyideas/
Click here to read about the FNB Snapchat lens, Spotify Free with data saver, and 00:37.
Fortnite fixes hackers’ hole
Epic Games has repaired a vulnerability that exposed Fortnite, the world’s most popular game of the moment, to hackers. The hole, which was left in Epic’s web infrastructure, allowed hackers to target players with email that appeared to come from Epic Games, but would have led them to a phishing site, where their log-in details would have been stolen.
Researchers at cyber security solutions provider Check Point Software alerted Epic to vulnerabilities that could have affected any player of the hugely popular online battle game.
Fortnite has nearly 80 million players worldwide. The game is popular on all gaming platforms, including Android, iOS, PC via Microsoft Windows and consoles such as Xbox One and PlayStation 4. In addition to casual players, Fortnite is used by professional gamers who stream their sessions online, and is popular with e-sports enthusiasts.
If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details. The vulnerability would also have allowed for a massive invasion of privacy, as an attacker could listen to in-game chatter as well as surrounding sounds and conversations within the victim’s home or other location of play.
While Fortnite players had previously been targeted by scams that deceived them into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, these new vulnerabilities could have been exploited without the player handing over any login details
Click here to read how the Fortnite hack worked
To win a set of three Fortnite Funko Pop Figurines, click here.