Rental supervision industry Powerful mobile spyware tools has recently received increasing attention as tech companies and governments grapple with the scale of the threat. However, spyware targeting laptops and desktops is extremely common in a wide range of cyber attacks, from state-backed espionage to phishing scams. financially motivated. Because of this growing threat, researchers from incident response firm Volexity and Louisiana State University presented at the Black Hat security conference in Las Vegas last week, new and refined tools that Students can use to catch more PC spyware in Windows 10, macOS 12, and Linux Computers.
Widely used PC spyware — the kind that typically records targets, tracks mouse movements and clicks, listens through the computer’s microphone, and pulls photos or videos from the camera — can be difficult to detect. present because the attacker intentionally designed it so that it leaves a minimal footprint. Instead of installing itself to the target computer’s hard drive like a normal application, the malware (or its most important components) only exists and runs in the target computer’s memory or RAM. . This means it doesn’t generate certain classic red flags, doesn’t show up in the normal logs, and gets cleared when the device is rebooted.
Enter the field of “memory forensics”, which is precisely geared towards developing techniques for assessing what is happening in this nominal space. At Black Hat, researchers specifically announced new detection algorithms based on their findings for an open source memory forensics framework. Volatility.
“Memory forensics is very different from five or six years ago in terms of how it is used in the field for both incident response and law enforcement,” Volexity director Andrew Case told WIRED. (Case is also a lead developer of Volatile.) “It got to the point where even outside of really intense malware investigations, memory forensics is needed. But for evidence or artifacts from memory samples to be used in court or some kind of legal proceeding, we need to know that the tools are working as expected and the algorithms have been validated. This latest content for Black Hat is really some tough new techniques as part of our efforts to build verified frameworks. “
Case emphasized that extensive spyware detection tools are needed because Volexity and other security companies regularly see real-life examples of hackers deploying memory-only spyware. in their attacks. At the end of July, for example, Microsoft and security company RiskIQ published detailed findings and mitigations against Subzero malware from an Austrian commercial spyware company, DSIRF.
“Victims are observed [targeted with Subzero] to date include law firms, banks and strategic consulting agencies in countries such as Austria, the United Kingdom and Panama,” wrote Microsoft and RiskIQ. They added that Subzero’s primary payload “remains exclusively in memory to avoid detection. It contains many capabilities including recording keyboards, taking screenshots, exfiltrating files, running remote shells, and running arbitrary plugins”.
The researchers are particularly focused on honing their findings on how different operating systems talk to “hardware devices” or sensors and components like keyboards and cameras. By monitoring how different parts of the system run and communicate with each other and look for new behaviors or connections, memory forensics algorithms can catch and analyze a variety of potentially malicious activities. than. One potential piece of advice, for example, is to monitor an OS process that’s always running, say a feature that allows users to log into the system, and flag if additional code is injected into that process after it’s started. run. If the code was introduced later, it could be a sign of malicious manipulation.
