1. Home
  2. Techniques
  3. Enterprise
  4. 反射性代码加载

反射性代码加载

ID Name
T1620.001 内存驻留加密载荷加载
T1620.002 动态API解析规避
T1620.003 进程空洞注入
T1620.004 反射型DLL劫持

反射性代码加载是攻击者将恶意代码直接写入进程内存并执行的技术,规避了传统基于磁盘文件检测的防御机制。该技术通过内存操作API(如VirtualAlloc、WriteProcessMemory)实现无文件化攻击,利用合法进程的上下文环境掩盖恶意行为。防御措施主要包括监控异常内存分配行为、检测未签名模块加载事件,以及分析进程行为是否偏离正常模式(如记事本程序发起网络连接)。

为应对传统内存扫描和API监控技术的演进,攻击者发展出多层加密、动态解析、进程伪装等高级匿迹手法,通过消除磁盘特征、模糊内存指纹、模拟合法模块加载等方式,构建出难以被静态或动态分析手段识别的隐蔽代码执行环境。

当前反射性代码加载匿迹技术的核心实现路径集中于内存操作维度的特征消除与执行上下文的环境融合。内存驻留加密载荷加载通过运行时解密机制破坏内存特征提取的有效性;动态API解析规避将调用痕迹从代码层转移至运行时层,增加行为分析成本;进程空洞注入利用合法进程的数字签名和正常行为特征建立保护屏障;反射型DLL劫持则通过模拟系统加载器工作流程实现隐蔽模块加载。四类技术的共性在于突破传统可执行文件依赖,将攻击生命周期完全置于内存环境中,并充分利用操作系统内存管理机制的复杂性实施隐蔽。关键技术突破点包括:自主PE加载器开发、内存特征随机化、以及合法进程行为模拟,使得恶意代码的执行过程在内存监控视角下呈现"形变神存"的特性。

匿迹技术的发展导致传统基于文件哈希检测、静态内存扫描的防护体系面临实效性挑战,防御方需加强运行时行为建模、内存元数据分析能力,并构建跨进程的异常调用链检测机制,通过关联内存操作模式与网络行为特征实现高级威胁狩猎。

ID: T1620
Sub-techniques:  T1620.001, T1620.002, T1620.003, T1620.004
Tactic: 防御规避
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Application control
Contributors: Jiraput Thamsongkrah; Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics; João Paulo de A. Filho, @Hug1nN__; Lior Ribak, SentinelOne; Rex Guo, @Xiaofei_REX, Confluera; Shlomi Salem, SentinelOne
Version: 1.2
Created: 05 October 2021
Last Modified: 09 February 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

通过模拟合法模块加载流程和保持进程表面完整性实现特征隐藏。反射型DLL劫持技术严格复制系统加载器的PE映射过程,使得内存中的恶意模块与合法DLL具有相同的节区属性和导入表结构。进程空洞注入维持宿主进程的原始环境块和路径信息,使得进程管理器无法通过常规字段识别异常。

行为透明

利用零日漏洞或未公开的内存操作技术突破防御盲区。某些反射加载器通过篡改进程的异常处理机制或利用虚拟内存管理缺陷,将代码执行隐藏在合法API调用链中。例如通过劫持结构化异常处理(SEH)链实现无线程注入,或利用内存空洞区域部署隐蔽执行环境,使得传统进程监控工具难以捕获异常行为。

数据遮蔽

采用多层加密和运行时解密机制实现数据混淆。内存驻留加密载荷在静态存储和传输过程中始终以密文形态存在,仅在执行前瞬间在内存中解密。部分高级变种使用白盒加密算法或将密钥分离存储在注册表、环境变量中,确保静态分析无法获取完整可执行代码。

Procedure Examples

ID Name Description
S1081 BADHATCH

BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to CreateThread.[1]
S1063 Brute Ratel C4

Brute Ratel C4 has used reflective loading to execute malicious DLLs.[2]
S0154 Cobalt Strike

Cobalt Strike's execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR.[3]
S0625 Cuba

Cuba loaded the payload into memory using PowerShell.[4]

S0695 Donut

Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.[5]
S0367 Emotet

Emotet has reflectively loaded payloads into memory.[6]
S0661 FoggyWeb

FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory.[7]
S0666 Gelsemium

Gelsemium can use custom shellcode to map embedded DLLs into memory.[8]
S1022 IceApple

IceApple can use reflective code loading to load .NET assemblies into MSExchangeOWAAppPool on targeted Exchange servers.[9]
G0094 Kimsuky

Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.[10]
G0032 Lazarus Group

Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.[11][12]
S0447 Lokibot

Lokibot has reflectively loaded the decoded DLL into memory.[13]

S1143 LunarLoader

LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread.[14]
S1059 metaMain

metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.[15]
S1145 Pikabot

Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.[16]
S0194 PowerSploit

PowerSploit reflectively loads a Windows PE file into a process.[17][18]
S1085 Sardonic

Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions.[19][20]
S0692 SILENTTRINITY

SILENTTRINITY can run a .NET executable within the memory of a sacrificial process by loading the CLR.[21]

S0595 ThiefQuest

ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.[22]
S0022 Uroburos

Uroburos has the ability to load new modules directly into memory using its Load Modules Mem command.[23]
S0689 WhisperGate

WhisperGate's downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.[24]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0011 Module Module Load

Monitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe)
DS0009 Process OS API Execution

Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and Native API functions such as CreateThread(), memfd_create(), execve(), and/or execveat().[25][26]
DS0012 Script Script Execution

Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.[27][28]

References

  1. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  2. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  3. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  4. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  5. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  6. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  7. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  8. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  9. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  10. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  11. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  12. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  13. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  14. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  1. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  2. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  3. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  4. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  5. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  6. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  7. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  8. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  9. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  10. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  11. 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.
  12. Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.
  13. MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.
  14. The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.