Understanding and Measuring Inter-Process Code Injection in Windows Malware

Malware aims to stay undetected for as long as possible. One common method for avoiding or delaying detection is the use of code injection, by which a malicious process injects code into another running application. Despite code injection being known as one of the main features of today’s malware, it is often overlooked and no prior research performed a comprehensive study to fundamentally understand and measure code injection in Windows malware. In this paper, we conduct a systematic study of code injection techniques and propose the first taxonomy to group these methods into classes based on common traits. Then, we leverage our taxonomy to implement models of the studied techniques and collect empirical evidence for the prevalence of each specific technique in the malware scene. Finally, we perform a large-scale, longitudinal measurement of the adoption of code injection, highlighting that at least 9.1% of Windows malware between 2017 and 2021 performs code injection. Our systematization and results show that Process Hollowing is the most commonly used technique across different malware families, but, more importantly, this trend is shifting towards other, less traditional methods. We conclude with takeaways that impact how future malware research should be conducted. Without comprehensively accounting for code injection and modeling emerging techniques, future studies based on dynamic analysis are bound to limited observations

There’s a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets

Cloud storage services are an efficient solution for a variety of use cases, allowing even non-skilled users to benefit from fast, reliable and easy-to-use storage. However, using public cloud services for storage comes with security and privacy concerns. In fact, manag- ing access control at scale is often particularly hard, as the size and complexity rapidly increases, especially when the role of access policies is underestimated, resulting in dangerous misconfigurations. In this paper, we investigate the usage of Amazon S3, one of the most popular cloud storage services, focusing on automatically analyzing and discovering misconfigurations that affect security and privacy. We developed a tool that automatically performs security checks of S3 buckets, without storing nor exposing any sensitive data. This tool is intended for developers, end-users, enterprises, and any other organization that makes extensive use of S3 buckets. We validate our tool by performing the first comprehensive, large- scale analysis of 240,461 buckets, obtaining insights on the most common mistakes in access control policies. The most concerning one is certainly the (unwanted) exposure of storage buckets: These can easily leak sensitive data, such as private keys, credentials and database dumps, or allow attackers to tamper with their resources. To raise awareness on the risks and help users to secure their storage services, we show how attackers could exploit unsecured S3 buckets to deface or deliver malicious content through websites that relies on S3 buckets. In fact, we identify 191 vulnerable websites. Finally, we propose a browser extension that prevents loading re- sources hosted in unsecured buckets, intended either for end-users, as a mitigation against vulnerable websites, and for developers and software testers, as a way to check for misconfigurations

Prometheus: Analyzing WebInject-based information stealers

Nowadays Information stealers are reaching high levels of sophistication. The number of families and variants observed increased exponentially in the last years. Furthermore, these trojans are sold on underground markets along with automatic frameworks that include web-based administration panels, builders and customization procedures. From a technical point of view such malware is equipped with a functionality, called WebInject, that exploits API hooking techniques to intercept all sensitive data in a browser context and modify web pages on infected hosts. In this paper we propose Prometheus, an automatic system that is able to analyze trojans that base their attack technique on DOM modifications. Prometheus is able to identify the injection operations performed by malware, and generate signatures based on the injection behavior. Furthermore, it is able to extract the WebInject targets by using memory forensic techniques. We evaluated Prometheus against real-world, online websites and a dataset of distinct variants of financial trojans. In our experiments we show that our approach correctly recognizes known variants of WebInject-based malware and successfully extracts the WebInject targets