System Registry Tampering

ID

system_registry_tampering

Severity

high

Resource

Registry

Tags

bot, trojan

Description

This detector looks for code that performs suspicious modifications over the system registry.

Rationale

Usually, after infecting a system, the malicious code will look to persist itself or to perform privilege escalation.

Since this may occur in many ways, it’s difficult to anticipate all the possible attack combinations but most of them share some common patterns that we pretend to discover. These patterns are classified in the following categories:

  • Keys like HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run are associated with allowing malicious files to automatically execute upon reboot of the compromised system.

  • Keys like HKLM\SYSTEM\CurrentControlSet\Services\calcservice are associated with using flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch malicious code when a trusted service starts.

  • Keys like HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon is associated with automatically logon to the compromised host after triggering safe mode boot.

  • Keys like HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system are associated with disabling or modifying group policy features, Windows notification or even disable common Windows applications to difficult the attack response.

  • Keys like HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" are associated with modifying the execution policy registry entry for PowerShell to allow the execution of scripts.

  • Keys like HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image" are associated with attaching a debugger to an application, so it gets executed when the targeted process is created.

Related Malware campaigns

These are some popular campaigns using this technique:

  • Uroburos represents a sophisticated cyber espionage tool written in C, utilized by units within Russia’s Federal Security Service (FSB) linked to the Turla toolset. Designed to collect intelligence on sensitive targets globally, Uroburos can infect Windows, Linux, and macOS systems, demonstrating a high level of stealth in communications and architecture, with the ability to seamlessly incorporate new or replacement components.

  • Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.

  • Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries.

References