Patrick Staubmann - TA577从你身边走过 - Pikabot中的间接系统调用.pdf

《Patrick Staubmann - TA577从你身边走过 - Pikabot中的间接系统调用.pdf》由会员分享，可在线阅读，更多相关《Patrick Staubmann - TA577从你身边走过 - Pikabot中的间接系统调用.pdf（30页珍藏版）》请在三个皮匠报告上搜索。

1、TA577 Walked Just Past YouIndirect Syscalls in PikabotPatrick StaubmannTeam Lead Threat AnalysisVMRay GmbH2Pikabot OverviewFirst SeenClassificationThreat ActorEvasion TechniquesEarly 2023(Down-)LoaderBackdoorTA577(Water Curupira)Well known for distributing QBotDistribution of Black Basta ransomwareI

2、ndirect System Calls3A closer look to PikabotLoading core modulePikabot went dark in 2024 (Operation Endgame).Butwe may see“powered-up”variants with enhanced loader and core modules.LoaderC2 CommunicationInjector(PE&Shellcode)Command ExecutionData Collection/FingerprintingCore Module4Pikabots Evasio

3、n TechniquesHardware-based EvasionTiming-based EvasionLimited ResourcesMore than 2 CPU Cores?At least 2 GB of memory?Sleep for certain time to hide behaviorUncommon API to pause executionBeep()5UncoveringIndirect Syscalls6WINDOWS API7From User Mode to Kernel ModeUSER MODEKERNELsample.exe.instruction

4、.instruction.call CreateFileWkernelbase.dllCreateFileW.instruction.instruction.call NtCreateFilentdll.dllNtCreateFile.instruction.instruction.syscall8kernelbase.dll(cont.).instructions.call NtCreateFileEDR(inline)Monitor HooksUSER MODEKERNELsample.exe.instruction.instruction.call CreateFileWkernelba

5、se.dllCreateFileWjmp edr.dllntdll.dllNtCreateFile.instruction.instruction.syscalledr.dll(hook)Monitor API Call9NATIVE FUNCTIONS10Using Native FunctionsUSER MODEKERNELsample.exe.instruction.instruction.call NtCreateFilekernelbase.dllCreateFileW.instruction.instruction.call NtCreateUserProcessntdll.dl

6、lNtCreateFile.instruction.instruction.syscall11Calling Native Functions12Avoiding Native FunctionsUSER MODEKERNELsample.exe.instruction.instruction.?kernelbase.dllCreateFileW.instruction.instruction.call NtCreateFilentdll.dllNtCreateFile.instruction.instructio