code injection by APC - ties2/Red-Team GitHub Wiki

In recent years, antivirus software has become more advanced in detecting and blocking malicious code. However, cybercriminals have also become more sophisticated in developing techniques to bypass these security measures. One such technique is code injection using Asynchronous Procedure Calls (APCs). This method allows attackers to inject malicious code into a process without triggering the antivirus software's detection. This essay will explore the concept of code injection by APC and discuss examples and sources to understand this technique more deeply.

Code Injection by APC:

APCs are a feature in the Windows operating system that allows developers to execute code asynchronously in the context of a particular thread. APCs are commonly used for system-level programming and debugging. However, attackers can also use APCs to inject malicious code into a running process without being detected by antivirus software.

In code injection by APC, the attacker leverages the APC mechanism to execute their code in the context of a trusted process. This process could be any legitimate process running on the system, such as a browser or a system service. By injecting malicious code into a trusted process, the attacker can bypass antivirus software and execute their code with elevated privileges.

There are several methods for injecting code by APC, including:

  • QueueUserAPC:

This method allows an attacker to create a new thread in a process and inject their malicious code using the QueueUserAPC function.

  • NtQueueApcThread:

This method allows the attacker to inject malicious code into an existing thread using the NtQueueApcThread function.

  • SetWindowsHookEx:

This method allows the attacker to hook into the system's messaging system and inject their malicious code using the SetWindowsHookEx function.

Examples of Code Injection by APC:

  • Duqu Malware: The Duqu malware is a sophisticated Trojan that was discovered in 2011. It was used to gather information from various organizations, including industrial control systems. The malware used code injection by APC to bypass antivirus software and execute its malicious code. It injected its code into the explorer.exe process using the SetWindowsHookEx function. This allowed it to execute its code with elevated privileges and avoid detection by antivirus software.

  • DoublePulsar Backdoor: The DoublePulsar backdoor is a malware that was used by the Equation Group, a hacking group believed to be associated with the NSA. The backdoor used code injection by APC to inject its code into the lsass.exe process, which is a critical process on Windows systems. The backdoor was able to execute its code with elevated privileges, allowing the attackers to gain access to sensitive information and control over the system.

  • PowerGhost Malware: The PowerGhost malware is a cryptomining malware that was discovered in 2018. The malware used code injection by APC to inject its code into the explorer.exe process, allowing it to execute with elevated privileges. The malware was able to bypass antivirus software and remain undetected for an extended period, allowing the attackers to mine cryptocurrency on the infected systems.

Sources: