AtomBombing Evasion and Detection - VMRay

AtomBombing Evasion and Detection

Dec 14th 2016

A new code injection technique is effective in bypassing most analysis and detection methods.
Code injection has been a favorite technique of malware authors for many years. Injecting malicious code into an otherwise-benign process is an effective way of masking malware from anti-virus and sandbox detection. It is used to bypass end-host firewalls and to evade sandbox monitoring. Typically standard MS Windows processes that would be expected to be running in live memory by default such as explorer.exe are the targets.
As detection methods have improved, researchers recently came up with a proof of concept for a new code injection technique that they labeled ‘Atombombing’ as it leverages Windows Atom tables. The compiled code based on this proof of concept appears to evade detection by many AVs and other detection tools.
Let’s take a look at how VMRay Analyzer successfully detects the code injection and anti-analysis attempts.

 

AtomBombing Analysis

The author of the post “AtomBombing: Brand New Code Injection for Windows” (Tal Liberman) also created a “proof of concept” on GitHub. After compiling the github-project, it was uploaded to the VMRay Cloud with a prescript (Figure 1).

 

 

The prescript is needed to prepare the analysis environment. In this case, it starts Microsoft Wordpad on Windows, which will be the victim for the injection. After a short time, the analysis result was generated and gave a VTI (VMRay Threat Identifier) score of 85/100 – very malicious.
In the Analysis Overview section of the report the Process Graph clearly shows code injection into Microsoft Wordpad (Figure 2). This is also corroborated by the detected malicious behavior shown in the VTI details. It shows a code injection by modifying the control flow of another process (Figure 3).

 

 

 

To verify the new injection technique, we have to look into the Function Log for the GlobalAddAtom- and GlobalGetAtomName- functions and for the ROP Chain, described in detail in this blog post. The “Atom”- functions are used to write and read the shellcode and the ROP Chain into an inter-process memory (Figure 4).

 

 

The ROP Chain allocates read-write-executable memory, copies the shellcode into this memory space and executes it. To execute the ROP Chain, it will be queued as an async procedure call with the NtQueueApcThread function (Figure 5).

 

 

After that, we will see the execution of the shellcode out of Microsoft Wordpad, which will open MS Calculator (Figure 6). Note that VMRay Analyzer doesn’t report spurious information related to the innocuous aspects of Wordpad executing, but only the relevant information related to the shellcode. This is important to ensure an analyst can zero in on information specific to the threat.

 

 

Conclusion

This new AtomBombing injection technique is a smart idea, because heavily monitored Windows functions like “VirtualAlloc” or “CreateRemoteThread” are not needed. But for this technique to work the target process must have at least one thread that is in an alertable state, otherwise the Async Procedure Calls will never execute. In any event, despite its effectiveness in evading AV detection, VMRay Analyzer fully captures all the malicious activity and alerts on the anti-analysis attempts.
Access the Full Analysis Report

References:

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator