Perseverance methods have a vital role in contemporary cyberattacks, aiding malware in staying actively present on compromised systems even post reboots, log-offs, or restarts.

Through the exploitation of inherent system features, perpetrators make certain that their malevolent programs continue to function covertly.

Below, we delve into six prevalent persistence strategies employed by malefactors, as well as methods to unearth them with tools such as ANY.RUN’s Interactive Sandbox, which incorporates the MITRE ATT&CK framework for the identification of malicious activities.

Education on Analyzing Cyber Threats

1. Execution via Startup Directory – MITRE ATT&CK ID: T1547.001

Utilizing the Windows Startup directory is a common method employed by malefactors to achieve persistence. By depositing maleficent files in this directory, which is structured to automatically execute programs during login, malware ensures its reinvigoration every time the system initializes.

Persistence mechanism technique within ANY.RUN sandbox 
  • Mechanism Explanation: The majority of users do not inspect their Startup folder, enabling malware to operate surreptitiously.
  • Illustration: The Snake Keylogger malware deposits files in the Startup directory located at:
    C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup.

2. Alteration of Registry Autorun Keys – MITRE ATT&CK ID: T1547.001

Malware can adjust registry keys to guarantee automatic execution during system startup. By manipulating certain AutoStart Extension Points (ASEPs), malefactors implant malware directly into the boot process of the system.

Targeted user-level keys:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

Targeted system-level keys (necessitates admin privileges):

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Executing files in Startup folder 

Illustration: This session Njrat malware modifies the registry keys at the user level for persistence.

3. Adjustment of Logon/Logoff Helper Paths – MITRE ATT&CK ID: T1547.004

Windows leverages registry “helper” paths to execute scripts or programs during user login or logoff. Adversaries alter these paths to ensure the execution of their malware with each session’s commencement or conclusion.

Targeted registry path:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon

4. Kernel Modules and Extensions (Linux)

MITRE ATT&CK ID: T1547.006

Linux systems face susceptibility to persistence mechanisms involving kernel modules. These modules operate with root privileges and can integrate malicious code directly into the core of the operating system.

Adversarial process:

  1. Malware secures root access.
  2. A malicious module is loaded employing commands like insmod or modprobe.
  3. The module conceals its existence by tweaking kernel-level functions.
Loading of malicious module detected by ANY.RUN sandbox 

Rationale for Stealthiness: Conventional antivirus tools operate at the user level and are inept at detecting kernel-level menaces.

5. Initialization of Office Applications – MITRE ATT&CK ID: T1137

Adversaries focus on Microsoft Office’s initiation traits to execute malevolent code every time an Office application is commenced. Two prevailing methods consist of:

Macros identified by ANY.RUN sandbox 

Perpetrators can manipulate Microsoft Office by embedding malware-laden macros within templates or constructing detrimental plugins. When the application initializes, malicious templates automatically load and execute pernicious code without any user interaction.

Similarly, cyber attackers can deposit malignant plugins in Office’s plugin directories, thereby ensuring that the code triggers each time the application is initiated. These techniques offer sustained access and pose considerable security threats.

Illustration: An embedded macro in a malicious Word document executes upon each opening of the file.

6. Boot or Logon Initialization ScriptsMITRE ATT&CK ID: T1037

Hackers alter initialization scripts that function during system boot or user logon to retain persistence. These scripts, originally designed for administrative purposes, are subject to manipulation to run malware.

  • Illustration: Alterations are made to RC scripts in Linux systems to incorporate malicious code.
  • The reason for its efficiency: As these scripts execute automatically, malware is launched without the need for any user intervention.

Mechanisms for persistence are crucial instruments for malicious actors aiming to ensure that malware remains operational even after system reboots. Ranging from altering registry entries to embedding malevolent kernel modules, these methodologies exploit legitimate system functions to avoid detection.

Solutions like ANY.RUN’s Interactive Sandbox equip cybersecurity experts with robust capabilities for identifying and scrutinizing these persistence techniques in real-time. By making use of the MITRE ATT&CK framework, ANY.RUN streamlines the process of spotting and countering threats.

Regarding ANY.RUN

ANY.RUN stands out as a premier platform for interactive malware analysis, serving the needs of over 500,000 cybersecurity practitioners across the globe. It offers features such as TI Lookup, YARA Search, and Feeds to aid users in promptly recognizing Indicators of Compromise (IOCs) and responding effectively to cyber breaches.

The original article “Top 6 Malware Persistence Mechanisms Used by Hackers: A Detailed Guide” was first published on Cyber Security News.