Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Dynamic API Resolution
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Dynamic API Resolution
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Dynamic API Resolution

ID Name
.001 Binary Padding
.002 Software Packing
.003 Steganography
.004 Compile After Delivery
.005 Indicator Removal from Tools
.006 HTML Smuggling
.007 Dynamic API Resolution
.008 Stripped Payloads
.009 Embedded Payloads
.010 Command Obfuscation
.011 Fileless Storage
.012 LNK Icon Smuggling
.013 Encrypted/Encoded File
.014 Polymorphic Code
.015 Compression
.016 Junk Code Insertion
.017 SVG Smuggling

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts. API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing) To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime. Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)

ID: T1027.007
Sub-technique of:  T1027
Tactic(s): Defense Evasion
Platforms: Windows
Data Sources: File: File Metadata, Module: Module Load, Process: OS API Execution
Version: 1.0
Created: 22 Aug 2022
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
Latrodectus

Latrodectus can resolve Windows APIs dynamically by hash.(Citation: Latrodectus APR 2024)
Bazar

Bazar can hash then resolve API calls at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
AvosLocker

AvosLocker has used obfuscated API calls that are retrieved by their checksums.(Citation: Malwarebytes AvosLocker Jul 2021)
Raccoon Stealer

Raccoon Stealer dynamically links key WinApi functions during execution.(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)
Lazarus Group

Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT January 2022)
Pteranodon

Pteranodon can use a dynamic Windows hashing algorithm to map API components.(Citation: Microsoft Actinium February 2022)
CHIMNEYSWEEP

CHIMNEYSWEEP can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time.(Citation: Mandiant ROADSWEEP August 2022)
Brute Ratel C4

Brute Ratel C4 can call and dynamically resolve hashed APIs.(Citation: Palo Alto Brute Ratel July 2022)
Samurai

Samurai can encrypt API name strings with an XOR-based algorithm.(Citation: Kaspersky ToddyCat June 2022)

References

  1. spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.
  2. drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.
  3. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
  4. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  5. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  6. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  7. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  8. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  9. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  10. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  11. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  12. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  13. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  14. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  15. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  16. Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.