Summary
- The malware creates a WNF (Windows Notification Facility) named ” ViRo” to maintain a registry hive hidden in the allocated WNF objects.
- When the registry hive is queried it responds with valid data, but when it is updated it actually writes the data to the kernel.
- The malware creates another WNF named “BFst” whose objects are used as a container to locate the ViRo objects for later retrieval.
- To find the allocated WNF objects in memory the malware loops through all WNF objects searching for those with specific content and releasing them.
- The “BFst” WNF is used for counter-detection by locating objects with specific content and releasing them.
- The payload writes a user-mode payload to kernel memory, likely to attempt a privilege escalation attack.
- The malware overwrites the Mciroft WNF subsystem, specifically the IOP_XACTION_sco struct, to achieve these actions.
By Alessandro Iandoli
Original Article