As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051’s use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day.

An examination of a sample of the lures associated with the ongoing activity reveals a focus on regional military, police and civil government training centers across Ukraine. In addition to collecting against Ukrainian combat capabilities, it is possible Hive0051 may seek to utilize access to gain advanced insight into the status of new security agreements and partners providing military training and materiel support to Ukraine.

Key points:

  • X-Force observed Hive0051 demonstrating an increasingly aggressive infection approach leading to 3 separate malware branches and enabling near-immediate file exfiltration and hands-on-keyboard access
  • Frequent malware updates including improved USB worm control and new variants signal increasing malware development capabilities
  • X-Force uncovered a sample of 6 Ukrainian language lure documents predominately featuring Ukrainian military and government training centers
  • Hive0051 rotates infrastructure through synchronized DNS fluxing across multiple channels including Telegram, Telegraph and Filetransfer.io. Rotations were almost exclusively observed during daytime in the Moscow time zone (6 AM-9 PM)
  • X-Force analysis shows a huge scale of operations with Hive0051 maintaining several active C2 clusters with different malware associations spanning hundreds of domains
  • GammaLoad resolves to IP addresses hosted by Global Internet Solutions (GIR – 207713) (83%), Kaopu Cloud HK (138915) (8%) and Global Connectivity Solutions (GCS – 215540) (16% as of March 2024). Similarities in domain registration, WHOIS data and webpages suggest that GIR and the newly created GCS are the same or related entities

Analysis

Lures

In early March 2024, X-Force uncovered a sample set of 6 unique lure documents associated with the featured Hive0051 activity uploaded by Ukraine and Poland-based users between November 2023 and early March 2024. Consistent with previously observed Hive0051 activity, the Ukrainian-language documents appear to be authentic internal government, military and law enforcement-related documents likely affixed to phishing emails given Hive0051’s established methodology. Machine translation revealed the contents of the lures feature multiple regional military, police and civil government centers across Ukraine including Kherson, Dnipro, Lviv, Kyiv and Zaporizhzhia.

The majority of the documents appear to be associated with military training centers or the professional development of government civilians. Each of the documents appears to imitate authentic internal memos associated with legal and internal regulations, or the administrative operations to prompt user interaction. Likewise, several documents feature dates matching the day of the observed activity or occur just prior to it. It is highly likely the rapid fielding of what appear to be current documents in the execution of ongoing campaigns, is further evidence of the highly agile nature of Hive0051’s operational capabilities.

Given the ongoing Russia-Ukraine war, it is highly likely that Hive0051 will continue to place a high collection priority on sensitive information regarding the strength, effectiveness and combat capabilities of the Armed Forces of Ukraine. In addition, it is possible the increased engagement of Ukrainian assets with Western defense production programs may represent an additional high-value upstream target for Hive0051, one that may yield insight into the status of Ukraine’s Western security alliances.

Figure 1: Hive0051 Lure Document titled Place Advanced training.doc (Розмістити_Підвищення кваліфікації.doc)

Depending on the initial infection vector, there are two main infection chains currently observed leading to GammaLoad.

The first chain makes use of .HTA files (HTML Applications) that contain malicious VBScript code to drop and load the main backdoor. Another commonly used technique involves leveraging Office documents with remote templates (.DOT files) to inject VBA macros, which implement the same VBScript-based backdoor. In this technique, the associated subdomain patterns and random extensions of the remote template files have been consistently used since 2021 and are detailed in a 2022 report by Palo Alto.

Once GammaLoad successfully executes, the backdoor uses several dynamic DNS resolution techniques to resolve the IP addresses of intended C2 servers. Some of these are:

    • WMI ping
    • public DNS provider’s HTTP service
    • Telegram
    • Telegraph
    • Filetransfer.io

Figure 2: GammaLoad infection vector diagram

Malware

The following section provides an in-depth look into malware used by Hive0051.

Notably, a single successful run of the GammaLoad backdoor may result in multiple possible follow-on payloads within the first few minutes of an infection. X-Force was able to identify at least 3 independent malware branches immediately installed on a single infected client which all feature independent C2 fallback channels, persistence mechanisms, file system artifacts and work to accomplish different objectives.

The table below highlights the volume of payloads deployed during an investigation of a single GammaLoad infection:

Malware

Description

C2

Persistence

Dropped files

GammaLoad.VBS 

Initial VBS-based backdoor initiating the infection chain, with 3 beacons maximum before terminating

Apex: .logitrap[.]ru

IP: 62.133.62[.]118

Telegram channel: mksjek

Depends on the dropper

Two random filenames in %TEMP% to store IP address and Telegram channel

GammaStager

Similar to GammaLoad, but contains a hardcoded IP address and beacons in a loop to download and execute a series of payloads.

IP: 62.133.62[.]120

N/A

N/A

VBS Downloaders

Short VBS scripts, launching a PowerShell command to download and execute a single payload

Single download URLs:

http://157.245.55[.]151/login.php for GammaLoad.PS

http://157.245.55[.]151/getinfo.php for GammaInfo

http://5.252.178[.]181/fun/cmd.txt for ReverseShell

N/A

N/A

GammaInfo

A short PowerShell-based enumeration script collecting various information from the host

Exfiltration: http://157.245.55[.]151/info.php

N/A

Screenshot: %APPDATA%\<formatted_date>.jpg

GammaLoadPlus

Similar to GammaLoad, but only supports .EXE payloads and establishes its own persistence. Likely used for active and confirmed infections

Apex: .kaelos[.]ru

IP: 62.133.62[.]120

Telegram channel: rkpwvlmryggyhg

Scheduled Task “SmartScreenSpecific”

Two random filenames in %TEMP% to store IP address and Telegram channel
GammaLoadPlus: %USERPROFILE%\deserter
Potential encrypted payload: %APPDATA%\<random_name>.ini
Potential decrypted payload: %APPDATA%\<random_name>.exe

GammaInstall

PowerShell-based malware used to install GammaSteel and establish persistence via a VBScript loader

GammaSteel download URL: https://206.189.188[.]38/contact

Startup directory

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<file>.vbs

GammaSteel

PowerShell-based malware to exfiltrate files from a victim based on an extension whitelist

DNS: www.windingroad[.]ru

IP: 167.99.104[.]97

C2 resolving: https://filetransfer[.]io/data-package/CWuEu3PW/download

Already established through GammaInstall

Split files in the directory under %APPDATA%

Database .TXT file under %APPDATA%

GammaLoad.PS

Fileless PowerShell implementation of GammaLoad, which lives in the registry.

Apex: .nutaral[.]ru

Telegraph: https://telegra[.]ph/test-01-10-259

Scheduled Task “<Win32_Bios.Manufacturer>”

Launcher: %ALLUSERSPROFILE%\<filename>.ps1
%LOCALAPPDATA%\Microsoft\Windows\Caches\<filename>.db
%TEMP%\<filename>.exe (potential payload)

ReverseShell

Simple PowerShell-based reverse shell

5.252.178[.]181:9511

N/A

N/A

Scroll to view full table

See the full chain for an individual GammaLoad-infected victim in the graph below. After receiving the GammaStager payload, the malware was observed installing three separate malware branches, GammaLoadPlus, GammaSteel and GammaLoad.PS. Each of them maintains its own persistence and C2 connection, allowing further payloads on each branch. In addition, GammaStager also downloads an enumeration script (GammaInfo) and a reverse shell.

Figure 3: Gamma follow-on stages infection diagram

The more the merrier

The initial infection vectors display a significant evolution in strategy. Stealth has not been a major focus of Gamma malware and infrastructure in recent years, but the most recent campaigns are Hive0051’s most boisterous to date. The chain above clearly demonstrates a new, aggressive, multi-layered approach, for rapidly deploying several independent malware branches.

The large number of C2 fallback options, persistence mechanisms and storage locations potentially underscore a strategy that is accepting of a higher chance of detection in favor of a redundant approach to infection. By avoiding a single point of failure, the malware may be more likely to provide Hive0051 operators with successful infections before the attack is detected and remediated. Similarly, the frequent development cycles of Gamma malware have resulted in a multitude of new variants, making detection more difficult.

Fifty shades of Gamma

The origins of Gamma malware show a continuous evolution over at least 2 years, from simple VBScript backdoors to highly obfuscated, persistent, multi-stage malware variants with fallback C2 channels and support for multiple payloads. As a result of this evolution, a wide variety of Gamma-related malware is known to the community under various names such as LitterDrifter or Ptero* (PteroScout, Pterodo, etc.). X-Force follows the “Gamma” naming pattern used by CERT-UA, thus adding the names below to the list of known variants. However, due to the quick development cycles of the malware, these may only be used for a couple of months before the next code release, usually resulting in short-lived names. For our discussion, all Gamma-related malware capable of retrieving and executing secondary payloads (EXE, VBS, PS1, etc.) will be referred to as GammaLoad*.

Although variants may exhibit different behaviors resulting in a high diversity of names, there is a set of distinctive similarities used by Gamma malware. Implementation is mostly done in VBScript (also featured as Office macros in template files or within .HTA files), or PowerShell. There have also been implementations in .NET or C++ (Pterodo), which are used far less in currently observed campaigns. The recently observed .EXE files X-Force analyzed all contained an encrypted GammaLoad.VBA payload which they would launch after dropping to a new directory in %HOME% or %USERPROFILE%. All Gamma variants (including VBS, PS, Steel, Install, Plus, Light or Stager variants) leverage HTTP for C2 communication, often using specifically hardcoded headers, paths and subdomains. These are likely used to profile and register infections and are created using wordlists or randomly generated values. GammaInstall and GammaSteel also use a distinct modulo-based string obfuscation technique, different from GammaLoad.VBS, which uses substitutions. To support multi-channel DNS fluxing via fallback channels, Gamma variants started featuring functionality to query and parse different services such as Telegram, Telegraph, Filetransfer.io and more.

In a departure from previous observations, X-Force did not observe Hive0051 deploying USB spreading capabilities in both the common VBS and PowerShell variants of GammaLoad. This may be due to the uncontrollable nature of malware spreading via USB devices and potentially indicates Hive0051’s consideration of controlling its intended victims. To a lesser extent, there have been new samples identified as “GammaLoadLight.PS”, which focus only on the USB worm-like functionality. This variant can be deployed selectively and carries a hardcoded ID, enabling the threat actor to control and track the campaign more precisely than before.

GammaStager

GammaStager is a new type of disposable Gamma malware X-Force observed in the wild, which is built on the fly for a specific infection. It contains various hardcoded values such as the IP address, headers and strings likely acting as an authentication towards the C2 server. Its only objective is to download and execute a series of Base64-encoded VBS payloads. Upon request, it expects a “200” or “400” HTTP status code and a payload. If the C2 fails to respond with one of those codes, it will exit its main loop and terminate after 7 failed beacons.

Figure 4: Network traffic of GammaStager downloading multiple payloads

GammaLoadPlus

GammaLoadPlus is a VBS-based malware with two components that are obfuscated via string substitution and Base64 encoding. The first component is designed to establish persistence. It also contains two initial hardcoded values for the current C2 IP address as well as the Telegram channel ID for fallback. These values are initially stored in two files within the %TEMP% directory. The malware begins by storing itself in the %USERPROFILE% directory and creating a scheduled task with an unobtrusive name, “SmartScreenSpecific” in this case. The configuration executes the following command every 10 minutes (note that some options do not have a purpose and differ between samples):

wscript.exe <malware_path>   //b   /as/icb/ato /tif //e:vbscript

Scroll to view full table

This will run the second component which is the backdoor. To resolve its C2 address, the observed variant can use Telegram, DNS via WMI pings or an HTTP request to CloudFlare (https://cloudflare-dns.com/dns-query) or Google DNS (https:/8.8.8.8/resolve). A payload received from the server is stored in a “.ini” file within the %APPDATA% directory. GammaLoadPlus decrypts it using a custom XOR-based algorithm and stores it with the “.exe” extension in the same directory. At the start of the next scheduled execution, the payload is executed via the WScript.Shell object.

GammaInstall & GammaSteel

GammaInstall is a short PowerShell script used as a loader for GammaSteel. It begins by downloading the GammaSteel payload, splitting it and writing it to disk with each fragment stored in a different .txt file inside a dedicated storage directory under %APPDATA%. All TXT files have the same hardcoded string name concatenated with an increasing integer to preserve their order. In this case, the list of files would look like this:

Dock0.txt

Dock1.txt

Dock2.txt

Dock3.txt

Dock4.txt

Dock5.txt

Dock6.txt

Dock7.txt

Scroll to view full table

After dropping the split payload, GammaInstall creates a short PowerShell loader script to read and combine the split files of the payload again and execute it. The resulting script is written into a VBS launcher file and dropped to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random_name>.vbs for persistence. The payload is then executed manually by GammaInstall.

Figure 5: Deobfuscated GammaInstall script

The observed payload was identified as GammaSteel and has been in use over the past year to exfiltrate files from infected systems. Its behavior bears similarities to the QuietSieve malware family used by the same group in 2022. It is capable of stealing files by recursively scanning through connected USB devices and existing drive letters.

GammaSteel maintains a blocklist to exclude folders containing the following strings:

  • prog
  • log
  • windows
  • appdata
  • local
  • roaming

Files are chosen if they match one of the following extensions:

  • .doc
  • .docx
  • .xls
  • .xlsx
  • .rtf
  • .odt
  • .txt
  • .jpg
  • .jpeg
  • .pdf
  • .ps1
  • .rar
  • .zip
  • .7z
  • .mdb

GammaSteel also maintains a database file storing the MD5 hash of all exfiltrated files and is used to prevent exfiltrating duplicates. The observed variant stored data in a .TXT file within %APPDATA% and used the hardcoded string “MZtxtMZdb00” as magic bytes for identification. Exfiltration is accomplished via HTTP POST requests.

GammaLoad.PS

GammaLoad.PS is a PowerShell implementation of GammaLoad, which lives in the registry. The latest version does not support USB spreading anymore, but added support for .EXE payloads. At the start of the execution, the main script begins by dumping a loader script into a .PS1 file under %ALLUSERSPROFILE%, which is used by the scheduled task, and serves the purpose of loading and executing code stored in the registry. The main install script continues by writing each PowerShell function into a new subkey with a random name, below a hardcoded parent key – in this case, “HKCU:\Printers”. Finally, the script creates a scheduled task with the name of the “Win32_Bios” WMI-Object’s “Manufacturer” field. The task is configured to run after 1 minute following the install script and execute the following command every 180 minutes:

During execution, GammaLoad.PS maintains a file containing the currently used C2 server, which is populated through one of its C2-resolving capabilities, DNS or Telegraph. The malware then communicates with the “/api.php” endpoint. The malware is capable of handling 3 different payload types:

  1. Responses starting with the string “http” will cause a download from the corresponding URL. The second payload is then XOR-decrypted, stored in %TEMP%\<random_name>.exe and executed.
  2. Responses starting with the string “!” are split by the starting separator and executed as PowerShell commands.
  3. All other responses are decrypted, Base64-decoded and launched as VBScript payloads directly in memory.

GammaLoadLight.PS

This PowerShell variant contains the USB spreader code, which has recently been removed from previous GammaLoad.PS variants. This allows it to spread to connected USB devices by dropping itself and a weaponized LNK file. It maintains persistence via the registry Run key and is stored within the %USERPROFILE% directory:

HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Scroll to view full table

To resolve its C2 address, it supports both regular DNS with an apex domain as well as Telegram. After connecting to its server’s “/sleep.php” endpoint, it sends a hardcoded integer ID and expects a PowerShell script in return. It will replace a specific string in the payload response with its current C2 IP and execute the script.

Reverse shell

The last payload downloaded by GammaStager was a PowerShell-based reverse shell, allowing immediate hands-on keyboard access. It connects to a remote server on port 9511.

Figure 6: Reverse shell deployed by Hive0051

Infrastructure

X-Force has continued to study Hive0051 GammaLoad’s DNS fast flux infrastructure to deepen our understanding of the pace and scale the threat actor creates and rotates its domains. Looking at all GammaLoad domain registrations in 2023 through 2024, Hive0051 registered at least one domain (and often times more) a little over every 4 days on average, and as of January 15th, over 500 GammaLoad C2 domains had active registrations and were resolving to Hive0051 infrastructure. In terms of how Hive0051 rotates these domains to different IP addresses, X-Force identified several clusters of GammaLoad C2 that generally “travel” together. Specifically, there are 4 clusters of GammaLoad C2 domains that use the VBS variant for subdomain generation, one cluster related to the PowerShell variant for subdomain generation and one cluster related to GammaSteel. Between these 6 clusters, X-Force observed GammaLoad resolve to over 1000 IP addresses over a 3 month period. As other vendors have noted, Global Internet Solutions (GIR – 207713) remains Hive0051’s most used hosting provider, with 83% of GammaLoad C2s showing up within 40 of GIR’s netblocks. X-Force has also observed heavy usage of Kaopu Cloud HK(138915) and the recently created Global Connectivity Solutions (GCS – 215540). The latter was registered on February 9, 2024, and shares domain registration, WHOIS data and website landing page similarities with GIR.

Both domains have also been registered in Russia. These similarities, in addition to Hive0051’s usage of both providers, may indicate a relationship between GCS and GIR. As of March 2024, 16% of Hive0051’s C2 IPs belonged to GCS. This may be a result of GIR’s higher ASN risk score, which would impact Hive0051’s operations if used for IP reputation-based blocking.

Aside from those providers, GammaLoad has also been observed resolving to 12 other ASNs, albeit at a much smaller scale:
  • 29182
  • 14061
  • 208951
  • 44477
  • 207651
  • 20473
  • 49505
  • 59504
  • 198610
  • 216071
  • 35278
  • 216139

The breakdown of the VBA clusters by domain count and possible malware associations can be seen below.

Cluster  Names

Rough Count

Malware Associations

VBA A

400~

GammaLoad.VBS

VBA B

20~

GammaStager, GammaLoadPlus_VBS

VBA C

10~

Unknown

VBA D

10~

Unknown

PS A

150~

GammaLoad_PS

STEEL A

20~

GammaSteel

Scroll to view full table

To demonstrate how frequently these different clusters rotate, below is a representative day in January 2024 showing the IP address resolutions for all the different clusters, with changes in resolutions noted in yellow.

As illustrated above, X-Force has observed GammaLoad VBA clusters A, B, C and PowerShell rotate several times in a single day while GammaLoad VBA cluster D and GammaSteel rotate once every day or two. Additionally, there is a consistent lull in rotations for all GammaLoad clusters from 18:00 UTC to 03:00 UTC every day, or 8:00 PM to around 5:00 AM local time in Ukraine, where the majority of GammaLoad infections have been observed.

Conclusion

Given their established mission space, X-Force assesses with high confidence Hive0051 actors will continue to focus offensive operations against Ukraine and its allies. It is highly likely Hive0051’s consistent fielding of new tools, capabilities and methods for delivery facilitate an accelerated operations tempo. X-Force recommends all in theater and associated entities associated with the defense of Ukraine remain current on the most recent Hive0051 trends and toolsets for the foreseeable future.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Technical recommendations

X-Force recommends all individuals and entities associated with the defense of Ukraine to remain in a heightened state of defensive security and to:

  • Exercise caution with phishing emails and attachments used by Hive0051
    • .XHTML
    • .HTA
    • .VBS
    • .PS1
  • Monitor for suspicious documents using remote template injection
  • Consider limiting the use of wscript.exe in your environment or closely monitoring activity
  • Monitor and block network traffic relating to known Hive0051 domains and IP addresses
  • Monitor for HTTP traffic with a “User-Agent” (nocase) header ending with a string: “<uppercase_hex_8_chars>;;/.<some_keyword>/.”
    • Example: user-agent: mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, like gecko) chrome/69.0.3497.81 safari/537.36;;JOHNS-PC_DEADBEEF;;/.jumper/.
  • Monitor network traffic for unusual or unsanctioned use of Telegram (http://t[.]me/s/*)
  • Monitor network traffic for unusual or unsanctioned use of public DNS over HTTP services
    • https://cloudflare-dns[.]com/dns-query
    • https:/8.8.8[.]8/resolve
  • Consider alerting on .TXT files starting with the string “MZtxtMZdb00″ as a potential indicator of a GammaSteel execution
  • Install and configure endpoint security software
  • Update relevant network security monitoring rules
  • Educate staff on the potential threats to the organization

Indicators of Compromise

Indicator

Indicator Type

Context

logitrap[.]ru

Domain

GammaLoad C2

62.133.62[.]118

IPv4

GammaLoad C2

62.133.62[.]120

IPv4

GammaLoad C2

http://157.245.55[.]151/login.php

URL

Downloads GammaLoad.PS

http://157.245.55[.]151/getinfo.php

URL

Downloads GammaInfo

http://5.252.178[.]181/fun/cmd.txt

URL

Downloads ReverseShell

157.245.55[.]151

IPv4

GammaInfo Exfil

kaelos[.]ru

Domain

GammaLoad C2

https://206.189.188[.]38/contact

URL

Downloads GammaSteel

www.windingroad[.]ru

Domain

GammaSteel C2

167.99.104[.]97

IPv4

GammaSteel C2

https://filetransfer[.]io/data-package/CWuEu3PW/download

URL

GammaSteel C2

nutaral[.]ru

Domain

GammaLoad.PS C2

https://telegra[.]ph/test-01-10-259

URL

GammaLoad.PS C2

5.252.178[.]181:9511

IPv4

ReverseShell C2

55ec220d943c45834506bc4d78bfebdf880fc55c986ae247991e8e593fc2f08c

SHA256

2024 рік 02.01.2024р.doc

874f5ac094327e5d0a5e78d5fe4870c7663e8a1e4ca9edf27ca3cd86128a8f84

SHA256

15_26856850.doc

9c6a6d73ea89f2891cf33fe47cdef721e9688c8154f967dad741794be085e48b

SHA256

11D5421C.doc

fcbe551b7f54fbbde6ec9abe2e26f3cd49d10d1cbe6094843199134d35adf347

SHA256

Розмістити_Підвищення кваліфікації.docінф 3ї.doc

f38382b2386fdd27dc1e131a66c2f7e0c57711c99014ba243c20746dd4ed5358

SHA256

Відділом нагляду за додержанням законів регіональним органом безпеки Херсонської обласної прокуратури узагальнено інформацію.hta

b716b4ec83656f245574bdc47f2e10db1661de81b8b4f25cbcde211e7da707dd

SHA256

1136_23-01-2024.rar

138f167e28985f147be5d00a226612b508290ad344e682722d110d1de4effb65

SHA256

Untitled Lure Document

93065044d096d7846323637a2a323343eef250c5561de3a05272ae61c4ac7ba5

SHA256

Супровід в прокурат_.doc

e5da40980c55932d3c4de0a4c82ce432a827d3a7e2309e37c53b448eceb9f881

SHA256

Щодо фактів вимагання коштів з боку співробітника Служби безпеки України.hta

f9015ba9d723bc9f3bfefa3b491b3b94a84cc8118beb89c3433d6dca7e79d461

7ZIP

Archive File

Scroll to view full table

More from X-Force

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today