[MART] - Daily Diary #420 - Trojan techniques - Detour

Tue Dec 28 20:29:40 UTC 2021

Hello,
I hope everyone is doing well!

Below is the entry for today.

28/12/2021 - Diary entry #420

In our previous Daily Diary #419, we covered Trojan malware and the common infection vectors. Today we will cover a technique used by attackers and malware to create trojanized applications, detours.

When it comes to trojanized applications, the goal is to hide the execution of malicious code in a trusted binary. Part of the social engineering of creating a Trojan is making the target believe only trusted code is being executed, and therefore he has nothing to worry about. Considering PE or ELF binaries, one technique that is commonly used by attackers to create Trojans is the creation of detours.

Considering the normal execution flow of a PE or an ELF, the operational system starts to execute the binary by reading the headers and locating the executable's entry point. In simple terms, the entry point is the beginning of the executable code section in executable binaries. Allocating the binary in memory and setting the correct registers to the entry point allows programs to run correctly. Applying detour on a binary is allocating another executable section inside the binary and changing the original entry point to the allocated section. After the malicious code is executed, generally spawning another malicious process, the trojanized application goes back to the original entry point, continuing the trusted code execution.

Creating detours is simple enough to be easily automated by other malware samples. This week our team analyzed a malware responsible for trojanizing trusted Linux applications. By executing this malware with the correct parameters, it can infect a trusted system binary with a detour, spawning a backdoor before going to the original code.

One way to be protected against detoured applications is making sure the downloaded binaries are signed with the correct certificate. By modifying the binary structure to add a detour, all the previously added signatures become invalid. Therefore, the attacker needs to sign it with another certificate, or provide the trojanized app unsigned.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211228/c874316f/attachment.htm>