monitor the rental industry Powerful mobile spyware tools have received increased attention recently as tech companies and governments grapple with the scale of the threat. But spyware targeting laptops and desktops is extremely common in a range of cyberattacks, from state-sponsored espionage to financially motivated scams. As a result of this growing threat, researchers from incident response firm Volexity and Louisiana State University demonstrated at the Black Hat security conference in Las Vegas last week what practitioners can do with Windows 10, macOS 12 A new and improved tool for catching more PC spyware in PC and Linux.
Widespread PC spyware (often recording targets, tracking mouse and click movements, listening through the computer’s microphone, and extracting still photos or videos from the camera) is difficult to detect because attackers deliberately design it to leave the smallest footprint. Malware (or its most important component) does not install itself on the target’s hard drive like a regular application, but exists and runs only in the target computer’s memory or RAM. That means it doesn’t generate some of the classic red flags, doesn’t show up in regular logs, and gets cleared when the device reboots.
Enter the field of “memory forensics,” which is precisely about developing techniques to assess what’s going on in this critical space. At Black Hat, researchers specifically announced new detection algorithms based on their findings on the open-source memory forensics framework Volatility.
“Memory forensics was very different five or six years ago in terms of how incident response and law enforcement were in the field,” Volexity director Andrew Case told WIRED. (Case is also the lead developer of Volatility.) “Memory forensics is required even outside of very intense malware investigations. However, for evidence or artificial intelligence in memory samples to be used in a courtroom or some type of legal process Artifacts, we need to know that the tools work as expected and the algorithms are validated. As part of our efforts to build a validated framework, Black Hat’s latest offerings are indeed some core new technologies.”
Case emphasized the need to expand spyware detection tools, as Volexity and other security firms often see real-world examples of hackers deploying memory-only spyware in their attacks. For example, at the end of July, Microsoft and security firm RiskIQ released detailed findings and mitigations against the “Subzero” malware from Austrian commercial spyware firm DSIRF.
“observed victims [targeted with Subzero] To date, law firms, banks, and strategic consulting firms in countries including Austria, the United Kingdom, and Panama,” Microsoft and RiskIQ wrote. They added that Subzero’s primary payload “exists only in memory to evade detection. It includes a variety of features, including keylogging, capturing screenshots, exfiltrating files, running remote shells, and running arbitrary plugins. “
The researchers are particularly focused on honing their detection of how different operating systems communicate with “hardware devices,” or sensors, and components such as keyboards and cameras. By monitoring how different parts of a system operate and communicate with each other and look for new behaviors or connections, memory forensics algorithms can capture and analyze more potentially malicious activity. For example, one potential tip is to monitor an always-running operating system process, such as a feature that allows users to log into the system, and flag it if other code is injected into the process after it starts running. If the code is introduced later, it could be a sign of malicious manipulation.
