In recent attacks involving the Angler exploit kit, malicious code was injected directly into running processes instead of being written to the disk, a researcher reported on Sunday.
French malware researcher know as "Kafeine" noticed that while the exploits had the same hashes as before, his tools didn't detect the payload and his host-based intrusion prevention system (HIPS) had been bypassed.
At that point the researcher realized that the Angler exploit kit has become capable of infecting hosts by injecting malware into existing processes, in this case the Web browser process. The malware served in the attack analyzed by the researcher was Necurs, a Trojan that can be used to disable security products and download other threats onto infected systems.
"The typical exploitation workflow consists of a user arriving at a landing page that fires multiple exploits (Flash, Reader, Java, etc) which in turn results in a malware payload being downloaded to the user's machine and ran from a specific location, often within the temporary files' folder," Jerome Segura, senior security researcher at Malwarebytes, explained in an email. "These drive-by download attacks leave a physical trace on the victims' machines and various security software (from antivirus/anti-malware to more generic whitelisting anti-executable utilities) can pick that up reasonably well."
"In this new method, an encrypted payload is deobfuscated on the fly using XOR and then loaded straight into an existing process such as iexplore.exe as a new thread. What is so unique about this is the fact that the payload never actually touches the hard-drive. The malware remains active in memory even after the user closes their browser and the only way to completely 'kill' it is to terminate the injected process or restart the computer."
