Common Malware Injection Techniques Explained

REVERSE ENGINEERING: LUMMA STEALER INFECTION ℹ️ Researchers analyzed a recent Lumma information stealer infection observed between February and March 2025. Lumma is a C++‑based infostealer sold as Malware‑as‑a‑Service (MaaS), widely used by cybercriminals to harvest credentials, browser data, and cryptocurrency wallet information. This particular sample featured a .NET/C# loader, sophisticated packing and obfuscation, and multiple staged payloads, showcasing how the threat continues to evolve. 📍 BACKGROUND ■ Information stealers like Lumma are key enablers in the modern cybercrime ecosystem, often supporting Initial Access Brokers (IABs) who sell access to compromised systems for use in ransomware or other intrusions. ■ Lumma has gained notoriety for its persistence, wide user base, and active distribution through Telegram channels, leveraging packing techniques to remain fully undetectable (FUD) and evade antivirus solutions. 📍 INFECTION CHAIN ■ The analyzed sample followed a multi‑stage infection chain: 👾 Stage 1 (.NET Loader): Checks file headers, unpacks an embedded section, and executes code in memory using CallWindowProcA. 🦠 Stage 2 (Shellcode & Loader Logic): Performs remote process injection into a suspended process, mapping the unpacked payload and resolving critical APIs like LoadLibraryA and GetProcAddress. ☣️ Stage 3 (Lumma Payload): The fully unpacked stealer initializes network communication via WinHTTP, decrypts C2 domains with ChaCha20, and begins data exfiltration. 📍 EVASION AND TECHNIQUES ■ Lumma employs packing, control‑flow flattening, Heaven’s Gate (switching between 32‑bit and 64‑bit execution), and dynamic API resolution to avoid detection and complicate reverse engineering. ■ It also performs environment checks, such as verifying file integrity and detecting Russian locale systems, before executing its full payload. 📍 C2 COMMUNICATION AND CAPABILITIES ■ The malware communicates with its C2 servers via HTTPS, sending initial POST requests with “act=life” and later exfiltrating stolen data. ■ Its capabilities include browser credential theft, Telegram account hijacking, crypto wallet manipulation, keylogging, and potential remote code execution. HUNTING AND MITIGATION ■ Researchers provided Sigma and YARA rules to aid detection, including hunting for unusual connections to TLDs like .top, .xyz, and steamcommunity[.]com, as well as initial POST traffic patterns. ■ For organizations, credential resets, 2FA adoption, phishing awareness, and restricting LOLBins like powershell[.]exe can reduce exposure to similar infostealer threats. Reference: 🔗 https://lnkd.in/drXjnNua #reverseengineering #malwareanalysis #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

During recent memory forensics research I've been doing on evading memory scanners, I was researching how to bypass Volatility's 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 plugin, and I developed a reflective PE loader for that. 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 searches for memory regions where the VAD (Virtual Address Descriptor) shows both 𝗪𝗥𝗜𝗧𝗘 and 𝗘𝗫𝗘𝗖𝗨𝗧𝗘 permissions, since legitimate applications rarely allocate 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 memory. This makes 𝗪+𝗫 a strong indicator of shellcode injection. But since VADs store the initial allocation protection set by 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗔𝗹𝗹𝗼𝗰, when 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 changes page permissions, only the underlying page table entries (PTEs) permissions are modified, while the VAD's 𝗔𝗹𝗹𝗼𝗰𝗮𝘁𝗶𝗼𝗻𝗣𝗿𝗼𝘁𝗲𝗰𝘁 field remains as originally set. To demonstrate this, I wrote a reflective loader that: 1. Allocates memory with 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (VAD records: RW) 2. Writes the PE image, resolves imports, applies relocations 3. Calls 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 to set 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗 on the .𝘁𝗲𝘅𝘁 section The VAD still shows 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (no execute), so 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 doesn't flag it. The code executes normally because the CPU uses the actual page permissions from the PTEs, not the VAD. This shows that in an investigation, relying on a single tool can lead to missed evidence and wrong conclusions. To detect this technique, dump private VAD regions (e.g., using Volatility's 𝘃𝗮𝗱𝗶𝗻𝗳𝗼 plugin with --𝗱𝘂𝗺𝗽) and scan for PE headers (𝗠𝗭/𝟬𝘅𝟰𝗗𝟱𝗔), which reveals injected code that 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 misses. However, this approach requires filtering out legitimate PEs (e.g., Windows system DLLs), and this might take some time. In a follow-up post, I'll share a detection method I developed that reliably identifies reflectively loaded PEs regardless of VAD permissions. 𝗚𝗶𝘁𝗛𝘂𝗯: https://lnkd.in/dUFiGp8z #DFIR #IncidentResponse #MalwareAnalysis #CyberSecurity #MemoryForensics #Volatility

🔍 Day 33/100 — Daily Intel 🚨 New Indirect-Shellcode-Executor Tool Bypasses AV/EDR Using Windows API Quirk A new Rust-based offensive tool, Indirect-Shellcode-Executor, demonstrates a novel EDR bypass technique by abusing a little-known behavior in the Windows API. 🧩 How the bypass works: The tool exploits the ReadProcessMemory function — normally used only for reading — by manipulating the lpNumberOfBytesRead pointer to write bytes into process memory. 🔸 This creates a write primitive using a read API 🔸 Completely sidesteps hooked functions like WriteProcessMemory, memcpy, etc. 🔸 Avoids classic code-injection detection heuristics ⚙️ Key Capabilities (Rust PoC): 🌐 Remote payload execution (C2-hosted shellcode, incl. hiding in PNG/asset files) 💻 Terminal injection (pass raw shellcode via CLI) 📁 File-based injection (payload stored in documents or temp files) 📌 Why this matters: This technique lives below the radar of current EDR visibility. Most vendors hook write-oriented APIs — few monitor unexpected R/W mismatches in ReadProcessMemory. This expands the “living off the Windows API” attack surface for red teams and real adversaries. 🛡️ Defensive Takeaways: º Monitor suspicious ReadProcessMemory calls targeting RWX or executable regions º Flag abnormal lpNumberOfBytesRead pointer usage º Combine API telemetry with memory behavior analytics rather than relying solely on API hooking https://lnkd.in/dnMftwqM #WindowsSecurity #EDRBypass #AVBypass #Shellcode #Rust #RedTeam #ThreatIntel #Malware #DFIR #DetectionEngineering #CyberSecurity #ExploitResearch #Day33of100 #100DaysOfIntel

Process hollowing involves creating a process in a suspended state, unmapping its memory (e.g., via ZwUnmapViewOfSection), and replacing it with malicious code. APIs like CreateProcess start the process, while VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread inject and execute the malicious payload. Malware Leveraging Process Hollowing: • Agent Tesla (S0331) Uses process hollowing to manipulate memory sections and inject malicious code. • Astaroth (S0373) Creates a suspended process of a legitimate target, unmaps its memory, and replaces it with malicious code. • Azorult (S0344) Decrypts its payload, injects it into a new suspended process, and resumes execution. • BADNEWS (S0128) Downloads executables and injects them into new processes using process hollowing. • Bandook (S0234) Launches iexplore.exe and replaces its memory with Bandook’s payload. • Bazar (S0534) Injects malicious code into processes like svchost, explorer.exe, and cmd.exe. • BBSRAT (S0127) Injects itself into msiexec.exe via process hollowing to evade detection. • Clambling (S0660) Executes binaries using process hollowing techniques. • Cobalt Strike (S0154) Employs process hollowing for malicious code execution. • DarkGate (S1111) Decrypts and injects payloads into processes like vbc.exe to evade detection. #Malware #Cybersecurity #ProcessHollowing #AgentTesla #Astaroth #Azorult #BADNEWS #Bandook #Bazar #BBSRAT #Clambling #CobaltStrike #DarkGate #ThreatDetection #MalwareAnalysis

Red Team Exercises #9 - Process Injection Process injection is a technique that allows the execution of malicious code within a legitimate process, with variations such as self-injection, classic DLL injection, PE injection, process hollowing, thread execution hijacking, mapping injection, APC injection, atom bombing, process doppelganging, and an interesting one called Mockingjay. The utility of process injection in Red Team exercises is to enable the stealthy execution of malicious code within legitimate processes, helping to evade detection by defensive systems such as EDRs and antivirus software. Additionally, process injection facilitates persistence in the target environment and allows for the execution of malicious actions without raising immediate suspicion. About MockingJay The Mockingjay by Thiago Peixoto technique involves exploiting DLLs with Read-Write-Execute (RWX) sections to perform stealthy code injection, minimizing detection by defensive software like EDRs. By identifying legitimate DLLs, such as msys-2.0.dll, that have pre-existing RWX sections, it is possible to avoid allocating new memory and using common APIs like NtWriteVirtualMemory and NtProtectVirtualMemory. The process involves loading the vulnerable DLL, calculating the RWX section's address, and injecting malicious code directly into it, using the Hell's Gate technique to create syscall stubs and remove EDR hooks without detection. This approach optimizes code injection by avoiding monitored operations, utilizing the pre-allocated and protected memory of the legitimate DLL, making the technique effective for EDR/AV evasion. More details: https://lnkd.in/dw27iUSc I wanted to hear from you, which process injection technique do you use most? PoCs: https://lnkd.in/dANsyWD2 (Centralized resource for listing and organizing known process injection techniques and POCs) https://lnkd.in/dErpgsAT (Mockingjay) https://lnkd.in/dCNnhCf5 (Mockingjay 2) https://lnkd.in/d-AkuUPp (Mockingjay BOF) For Blue Teams: https://lnkd.in/dK2gd9a8 https://lnkd.in/daNAChSv https://lnkd.in/ds6786Sp Image credits: Caueb Mockingjay Technique (https://lnkd.in/dErpgsAT) #redteam #cybersecurity #Informationsecurity #pentest #processinjection #redteamexercises