- Mar 9, 2019
- 874
Last edited by a moderator:
Chinese Hacking Group APT41 Exploits Google Calendar to Target Governments
- Thread starter Brownie2019
- Start date
- Dec 23, 2014
- 9,052
Users on Windows 11 with enabled Smart App Control are protected against such attacks (the LNK file will be blocked).
Others are vulnerable, except when security can block shortcuts or detect post-execution fileless techniques (like process hollowing):
cloud.google.com
Others are vulnerable, except when security can block shortcuts or detect post-execution fileless techniques (like process hollowing):
Mark Your Calendar: APT41 Innovative Tactics | Google Cloud Blog
cloud.google.com
Last edited:
Parkinsond
Level 18
- Dec 6, 2023
- 895
or to use WHHLight; block LNK by SWH, as WDAC component does not.Users on Windows 11 with enabled Smart App Control are protected against such attacks (the LNK file will be blocked).
Others are vulnerable, except when security can block shortcuts or detect post-execution fileless techniques (like process hollowing):
Mark Your Calendar: APT41 Innovative Tactics | Google Cloud Blog
- Dec 23, 2014
- 9,052
The attackers enhanced the attack vector known for several years:
phishing ---> ZIP archive ----> LNK -----> RunDLL32 -----> DLL loader (decrypted payload) ----> Process Hollowing -----> abusing legal cloud services for C2
State-sponsored phishing is often successful, so antivirus software attempts to detect the attack when the DLL loader is executed. When RunDLL32 LOLBin is used, some AVs can efficiently block the attack via Advanced Threat Protection features (like Microsoft Defender ASR rules) or LOLBin restrictions (like Comodo Script Analysis). Such loaders have a low level of suspicious IOCs on the pre-execution stage, so the attack can be detected by Machine Learning only after some time. This time can be longer if the attackers use a runtime FUD malware (unique crypter). It is probable that this was the case in this smart attack.
Top AVs can detect Process Hollowing methods (especially Enterprise versions). But I am not sure how effective they are against evolving attack methods.
phishing ---> ZIP archive ----> LNK -----> RunDLL32 -----> DLL loader (decrypted payload) ----> Process Hollowing -----> abusing legal cloud services for C2
State-sponsored phishing is often successful, so antivirus software attempts to detect the attack when the DLL loader is executed. When RunDLL32 LOLBin is used, some AVs can efficiently block the attack via Advanced Threat Protection features (like Microsoft Defender ASR rules) or LOLBin restrictions (like Comodo Script Analysis). Such loaders have a low level of suspicious IOCs on the pre-execution stage, so the attack can be detected by Machine Learning only after some time. This time can be longer if the attackers use a runtime FUD malware (unique crypter). It is probable that this was the case in this smart attack.
Top AVs can detect Process Hollowing methods (especially Enterprise versions). But I am not sure how effective they are against evolving attack methods.
Last edited:
- Dec 23, 2014
- 9,052
Here are some tests that include Process Hollowing by EDRs:
Parkinsond
Level 18
- Dec 6, 2023
- 895
ESET and K have one "fail" for "Execution via Callback Function"; this means B wins?
- Dec 23, 2014
- 9,052
- Oct 16, 2022
- 775
Andy, are those who have WHHLight or Hard_Configurator installed protected against this type of exploit? But specifically LNK?
- Dec 23, 2014
- 9,052
Yes. However, those security-oriented apps are not intended for use in "automotive, entertainment, government, logistics, media, shipping, and technology sectors," often attacked by state-sponsored actors.
These possible targets should use EDRs like those mentioned in my previous post (and eventually Application Control for Business).
Last edited:
- Oct 16, 2022
- 775
I'm sorry, I forgot the title of the post about Hacking Group APT41 similar to the Lazarus Group.
- Dec 23, 2014
- 9,052
In October 2024, Microsoft changed the Windows loader mechanism in Windows 11 24H2. This prevents the typical Process Hollowing attack.
This is probably good news for many users, but not necessarily for Enterprises.
www.linkedin.com
cyberpress.org
In widespread attacks, the typical Process Hollowing will still be prevalent for some time due to the popularity of Windows 10.
This is probably good news for many users, but not necessarily for Enterprises.
New Process Hollowing Attack Vectors Discovered in Windows 11 (24H2) – What You Need to Know!
The release of Windows 11 version 24H2 brings several new features and updates, but it has also sparked cyber security concerns. According to researchers, a well-known malware technique called Process Hollowing (also referred to as RunPE) is facing compatibility challenges on this latest update.
www.linkedin.com
Pure Crypter Deploys Sophisticated Evasion Tactics to Evade Windows 11 24H2 Security Features
Pure Crypter has cemented its position as a prominent malware-as-a-service (MaaS) loader within the cybercriminal ecosystem.
cyberpress.org
In widespread attacks, the typical Process Hollowing will still be prevalent for some time due to the popularity of Windows 10.
Last edited:
Similar threads
