Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Reflective Code Loading
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Reflective Code Loading
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules). Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by PowerShell may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad) Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)

ID: T1620
Tactic(s): Defense Evasion
Platforms: Linux, Windows, macOS
Data Sources: Module: Module Load, Process: OS API Execution, Script: Script Execution
Version: 1.3
Created: 05 Oct 2021
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
Pikabot

Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.(Citation: Elastic Pikabot 2024)
Sardonic

Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)
SILENTTRINITY

SILENTTRINITY can run a .NET executable within the memory of a sacrificial process by loading the CLR.(Citation: Github_SILENTTRINITY)

PowerSploit

PowerSploit reflectively loads a Windows PE file into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
Emotet

Emotet has reflectively loaded payloads into memory.(Citation: Binary Defense Emotes Wi-Fi Spreader)
BADHATCH

BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to `CreateThread`.(Citation: Gigamon BADHATCH Jul 2019)
WhisperGate

WhisperGate's downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.(Citation: RecordedFuture WhisperGate Jan 2022)
LunarLoader

LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread.(Citation: ESET Turla Lunar toolset May 2024)
Lumma Stealer

Lumma Stealer has used reflective loading techniques to load content into memory during execution.(Citation: Netskope LummaStealer 2025)(Citation: Fortinet LummaStealer 2024)
Cuba

Cuba loaded the payload into memory using PowerShell.(Citation: McAfee Cuba April 2021)

ThiefQuest

ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.(Citation: wardle evilquest partii)
FoggyWeb

FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory.(Citation: MSTIC FoggyWeb September 2021)
Brute Ratel C4

Brute Ratel C4 has used reflective loading to execute malicious DLLs.(Citation: MDSec Brute Ratel August 2022)
Uroburos

Uroburos has the ability to load new modules directly into memory using its `Load Modules Mem` command.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Cobalt Strike

Cobalt Strike's execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR.(Citation: Cobalt Strike Manual 4.3 November 2020)
Donut

Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.(Citation: Donut Github)
Lokibot

Lokibot has reflectively loaded the decoded DLL into memory.(Citation: Talos Lokibot Jan 2021)

IceApple

IceApple can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers.(Citation: CrowdStrike IceApple May 2022)
metaMain

metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.(Citation: SentinelLabs Metador Sept 2022)
Gelsemium

Gelsemium can use custom shellcode to map embedded DLLs into memory.(Citation: ESET Gelsemium June 2021)
Lazarus Group

Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Kimsuky

Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.(Citation: Mandiant APT43 March 2024)

Detection

Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and Native API functions such as CreateThread(), memfd_create(), execve(), and/or execveat().(Citation: 00sec Droppers)(Citation: S1 Old Rat New Tricks) Monitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe). Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.(Citation: MDSec Detecting DOTNET)(Citation: Introducing Donut) Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

References

  1. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  2. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  3. Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.
  4. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  5. 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.
  6. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  7. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  8. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  9. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  10. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  11. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  12. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
  13. Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.
  14. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  15. Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.
  16. Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024.
  17. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  18. Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
  19. The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.
  20. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  21. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  22. MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.
  23. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  24. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  25. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  26. Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.
  27. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  28. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  29. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  30. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  31. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  32. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  33. Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.
  34. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  35. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.