1/27/2021 0 Comments
Two interesting injectors came up in the “Live” sensor feed this am which I haven’t seen before. The first, Reloaded.Injector, injects DLLs into both x86 and x64 targets from the same program. I will have to give this one a try.
The second aligns to a strong tactics trend related to evasion, making use of direct system calls. Querying our data, we can see that 134 recently ingested, project repositories contain either a text processing hit for direct system calls or an API profile that indicates the same. An interesting note here is that we are talking “entire projects” and not at a file level. Projects can contain multiple files utilizing different variations of (in this case) direct system calls which our engine also visualizes (file level). To date, our engine has analyzed over half a million malicious files pulled from the live sensors. Defenders should be cognizant of this vector as its social reach continues to amplify to the masses.
Reloaded-Project/Reloaded.Injector: C# DLL Injection Library capable of injecting x86 DLLs to x86 process from x64 processes. (github.com)
badBounty/directInjectorPOC: Small POC written in C# that performs shellcode injection on x64 processes using direct syscalls as a way to bypass user-land EDR hooks. (github.com)
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam