LockPoS malware use new injection technology to sneaks onto Kernel
Researchers from Israel’s Cyberbit Network Security said that the LockPoS malware has been used the new code injection technology to attack the target system. Check out BrighterGuide to stay updated with current and useful knowledge about today’s technology.
LockPoS surfaced in July 2017. Security researchers found that it stole credit card data from the computer’s memory connected to a PoS credit card scanner before sending it to a C&C server.
Previous analyzes revealed that this malware uses Dropper to inject the explorer.exe process directly. When executed, Dropper extracts the resource file itself and injects the various components that load the final PayLoad.
Now, the malware is using code injection – a variant that seems to have been used by Flokibot PoS malware. LockPoS has been exposed to flooding with the Flokibot botnet, and there are similarities between the two malware, Flokibot PoS, and LockPoS.
Cyberbit said one of the injection technologies LockPoS uses creates a Section Object in the kernel, calls a function that maps the view of this memory area to another process, then copies the code into that memory area and creates a remote The thread executes the mapped code.
LockPoS is exposed using three main functions (NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx) to inject code into the remote process, all of which are exported from ntdll.dll.
The malware does not call the above function, but rather maps a copy of ntdll.dll from disk to its own virtual memory address space, saving a “clean” copy. LockPoS malicious code copied to the memory area, then create a remote explorer.exe.exe execute malicious code.
With this malware injection method, LockPoS can bypass the Hooks installed by antivirus software on ntdll.dll, increasing the success rate of attacks.
Cyber-mal malware analyst Hod Gabriell said the new malware injection technology presents a new trend: attackers can change patterns to increase detection difficulty. While most endpoint detection and response (EDR) and next-generation anti-virus products are already monitoring Windows features in user mode, they fail to monitor the kernel features in Windows 10. To ensure that anti-virus software successfully detects such threats, it is necessary to improve memory analysis capabilities.
Reference: cyberbit
