The analysis of this multi-stage malware loader reveals a sophisticated and stealthy approach to evading detection, particularly targeting Endpoint Detection and Response (EDR) systems. Here's a breakdown of its key features:
Stage 1: Initialization and Anti-Debugging
Initialization Routine:
- The loader begins by setting up an advanced exception handling mechanism that intercepts and bypasses EDR hooks on system APIs.
- It creates a custom dispatcher to handle exceptions, allowing it to execute arbitrary code during the process of resolving API calls.
Anti-Debugging Techniques:
- Breakpoint Check: Before overwriting the default exception handler, Stage 1 checks if there's a breakpoint set at
KiUserExceptionDispatcher. If detected, it crashes the process. - Geo-Fencing: The loader excludes systems configured for languages commonly used in post-Soviet countries by checking system locale settings.
Stealthy API Resolution:
- Instead of resolving
ntdll!LdrProtectMrdatadirectly, the loader uses a known exported function (RtlDeleteFunctionTable) as an anchor to locate and resolve it stealthily.
Stage 1 Unpacking Mechanism
The loader creates two views of a paging file-backed
Read the full article at Cisco Talos
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
12
Contents
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
