A hacker wants to keep its malware to stay on the target device, even when the operating system restarts. Do you know how it happens? It happens with the malware persistence techniques!
With malware persistence techniques, a hacker gets able to remain on the already compromised system. It turns out helpful for him to carry out denounced activities since he no longer needs to re-infect the system.
For now, our goal is to understand some usual malware persistence techniques used by the hacker. These techniques help a hacker to run malicious code with elevated privileges. So, let’s jump right into our today’s conversation.
During user login or system boot, a hacker can create shortcuts to execute a program. Using shortcuts is a way of referencing other programs or files. When someone executes or clicks the shortcut, the referenced files or programs execute.
When the system boots, hackers can execute DLLs (Dynamic-link library) by abusing authentication packages. Windows authentication package DLLs got loaded into the LSA (Local Security Authority) process at the system beginning. They offer support for multiple security protocols and logon processes to the OS (Operating System).
Security Support Provider
Hackers can exploit SSPs (security support providers) to run DLLs when the system boots. We know that Windows SSP DLLs got loaded into the LSA process at the system start. As soon as it’s loaded into the LSA, SSP DLLs maintain access to plaintext and encrypted passwords. Those passwords that get stored in Windows, such as smart card PINs or any logged-on domain password.
Maintaining access to victim systems is possible when hackers create an account. They use these accounts to establish secondary credentialed access through a sufficient level of access.
Hackers can abuse BITS (Background Intelligent Transfer Service) jobs to execute after malicious payloads tenaciously. Windows BITS is a low-bandwidth file-transfer procedure uncovered via COM (Component Object Model). File-transfer tasks are performed as BITS jobs comprising a queue of at least one file operation.
To ensure access to victim systems with malware persistence techniques, hackers can create a cloud account. Through an adequate level of access, creating such accounts is helpful. It establishes secondary credentialed access that might not need tenacious deployment of remote access tools on the system.
Manipulating accounts is another technique to maintain access to victim systems. Referring to any action that provides hackers access to a compromised account is account manipulation. It includes modifying permission groups or credentials.
The manipulating actions also include account activity planned to sabotage security policies. For example, a hacker implements continual password updates to surpass password duration policies and preserve the record of compromised credentials. The hacker needs to have appropriate permissions on systems to create or manipulate accounts.
Hackers can misuse browser extensions to have persistent access to systems. We install browser extensions directly or through an app store. Mostly, these extensions have access to all that the browser can get to.
Hackers also place a malicious program under the startup directory. During reboot or logon, creating a shortcut to the location pointed by subkey Startup can roll out the service. Startup location is defined both at the current user and local machine.
Malware persistence consists of techniques that bad guys use to maintain access to systems across restarts. However, there are ways to prevent it from happening. For example, you can block file writes to unusual places and specific folders which use limited file types. Additionally, you can reduce privileges and lockdown configuration files. For overcoming evolving cybersecurity threats, get cybersecurity advisory and consulting services.