Using Memory Analysis to Detect EDR-Nullifying Malware

defense-evasion, dfir, memory-forensics, volexity

Article Excerpt

In the ever-changing cybersecurity landscape, threat actors are forced to evolve and continually modify the tactics, techniques, and procedures (TTPs) they employ to launch and sustain attacks successfully.

Long Summary

The article examines the technique used by the malicious software AVBurner to disable endpoint detection and response (EDR) and antivirus (AV) software. AVBurner is designed to disable callbacks from the kernel space, and does so by abusing a vulnerable driver, RTCore64.sys, to read and write into the protected memory space. This technique of using an older, vulnerable driver to load malicious code was famously used by Turla for the purposes of loading a malicious rootkit.

AVBurner follows a specific workflow to identify the callback array and disable specific callbacks. It checks the OS version, abuses RTCore64.sys to identify the PspCreateProcessNotifyRoutine array, abuses RTCore64.sys to parse the array in order to get the list of currently defined callbacks, and for each registered callback address, gets the location of any SYS file in the directory C:\Windows\ or its subdirectories. If the SYS file is not located in this directory it is skipped. It then checks the metadata of the SYS file to see if the file matches specific criteria, and if the callback is identified as one that should be removed, AVBurner abuses RTCore64.sys to replace the callback address with “0x00000000`00000000” which effectively disables the callback.

The article then explains how memory analysis can be used to detect manipulated EDR callbacks, such as those employed by AVBurner. Volatility 3 natively lists the currently registered callbacks with the windows.callbacks command, and two approaches can be used to identify the callback anomaly: getting the count of callbacks and comparing the value with the windows.callbacks output, or maintaining a list of EDR or AV modules that register process creation callbacks, and checking if the driver is loaded but a callback that should be registered is missing.

Volexity Volcano can also be used to assess if systems are trustworthy, even if AV and EDR products report being healthy and fully operational. It points out that two kernel modules, CiscoAMPCEFWDriver.sys and CiscoAMP.sys, are affected by the malware, and provides more specific details on the artifacts themselves (including the full path on disk to the kernel module) and an explanation of exactly what functionality has been disabled. It also lists recently unloaded kernel modules, which can be used to detect the malicious activity.

Callback manipulation is a technique used by threat actors to evade detection

Short Summary

Using Memory Analysis to Detect EDR-Nullifying Malware

👉🏽 The article examines technique used by AVBurner malware. 👉🏽 AVBurner disables endpoint detection and antivirus software. 👉🏽 AVBurner abuses vulnerable driver RTCore64.sys. 👉🏽 Technique used to load malicious rootkit by Turla. 👉🏽 AVBurner follows specific workflow to identify and disable callbacks. 👉🏽 Memory analysis can detect manipulated EDR callbacks. 👉🏽 Volatility 3 can list currently registered callbacks. 👉🏽 Volexity Volcano can assess if systems are trustworthy. 👉🏽 Two Cisco kernel modules affected by the malware. 👉🏽 Callback manipulation used by threat actors to evade detection.

#Malware #EndpointDetection #Antivirus #MemoryAnalysis #CallbackManipulation