System Registry Code Execution

ID

system_registry_code_execution

Severity

critical

Resource

Execution

Tags

evader, trojan

Description

This detector looks for code that executes or evaluates code stored into de system’s registry.

Rationale

Fileless malware refers to a threat that does not rely on files to operate, such as a backdoor that lives only in the memory. Attackers often abuse the Windows Registry to store malicious code on victim systems.

By using this technique, attackers attempt to make their malicious code bypass common security controls like antivirus or anti malware. This is commonly achieved by using the same keys that other legitimate programs use. This way, even while manually reviewing th registry keys you might think it’s harmless, when in fact it’s a sneaky 'little' malware.

Later, those registry keys are accessed and the payload code finally executed.

Related Malware campaigns

These are some popular campaigns using this technique:

  • Uroburos represents a sophisticated cyber espionage tool written in C, utilized by units within Russia’s Federal Security Service (FSB) linked to the Turla toolset. Designed to collect intelligence on sensitive targets globally, Uroburos can infect Windows, Linux, and macOS systems, demonstrating a high level of stealth in communications and architecture, with the ability to seamlessly incorporate new or replacement components.

  • Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.

  • Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check. Available values are:

    • registry_input

  • sinks, that indicates the sink to check. Available values are:

    • command_injection

    • code_injection

  • neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.

References